23542300x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:25.730{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB18B942C9E4638BB7A586809359AE,SHA256=1273BCC5AF5CEF9F45ED3CEBA375CAFB4C9A17EE132F5E568929F7069A17B42A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.741{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.741{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.710{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.702{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.701{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.698{E8723972-5644-6356-0A00-000000008902}6241516C:\Windows\system32\services.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5644-6356-0A00-000000008902}6242840C:\Windows\system32\services.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.671{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{E8723972-5644-6356-0A00-000000008902}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000191067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.669{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.652{E8723972-5646-6356-1400-000000008902}10528252C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.548{E8723972-5646-6356-1600-000000008902}13003348C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.540{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.529{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.529{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:26.823{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD9A8469E3BF06F030A7E353B34ECFA,SHA256=968A9DBBEAF658354C1B9055C68AC3EF9B7D2D88D0BD68BA2EFD1C1AE2E52114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.990{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968B63CF33FDA4802CA505BB4FEDA2D9,SHA256=9EB70E4A3EE27C9A146CAD9311A95F6A5A273842A6CF9F452DDF989FB79268A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.861{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57443036CEF4EDB6658B7A7394173F6D,SHA256=9BD2516E168AE20D631F6228A5CEBBC322AC921796005F2C28FE90E7463C7150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.778{E8723972-A812-6356-EB0F-000000008902}75008412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.703{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.702{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.701{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.698{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.605{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.601{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.567{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C0678BE996B7A9B3533B0038760AF9E,SHA256=0EE88A0A1C07D53D6F2DF5469F85571D96292D817ADCBCD41CD0A29FEC69F72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.528{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98EB7DFE085D7EE844245C80EA568BD1,SHA256=C5CC878D62FE37CEE384BC2E929130409F3E01FBFC550C39369BEE7DA251FA8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:24.109{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60464-false10.0.1.12-8000- 10341000x8000000000000000191146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.385{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.376{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.339{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.323{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.313{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.306{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.299{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.290{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.277{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.271{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.235{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.232{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A0E712A2AFEB31844BDE5522742748,SHA256=4933031F222FC4BDC6A77EEE2085921C82E722CD491529F28C20D060C6DC2B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.062{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3DEACFACC4DB00F48E3E94641E2713,SHA256=FECAFE8CAA23976BDD6CB65E2A9CEEBC43D07E57A210AF9693E1E42D8106BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.062{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B275923CA142C8AD5B5D7FF28E2F92CB,SHA256=E43101C7A90FFB029251CD46F5CFC5FCBC2FE7781809D895468867F64BB5C92E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.001{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:22.884{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:27.915{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAFC3D0C9BBEACA1E28B661254CD032,SHA256=7992C8B9A24D33F640FAC350502FD70A4E2BF7D3BB4269219E861DCFB46428D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.133{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.130{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.129{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.084{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AC3F03FBD9CE34210611E606602FCD,SHA256=C44ABF67DE07C52182E29582099D2D64163F94F37793B0885F82991DBF1E51A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.716{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.716{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.715{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.710{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.198{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93250550F41C4588469AFF587B3C9ADD,SHA256=DD87F5B95FE8333BD27B2867792F14F1B4BCC88FA4B093546C68198EA219B129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.110{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5041A6665C53A5166FA1F74B51454,SHA256=C2537869AD0D547D63791A89C5E1B0D7BBF7E6F15E41726333685C13EF0058EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.854{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=645BF94CB62137007011DC1288562433,SHA256=CA2A4BD84C8AC03A2807D31DA56515577EA46180A84549F69D21EBF7DC6D623D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.419{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.415{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.413{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.408{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.406{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.403{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.401{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.398{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.395{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.394{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.393{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.392{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.388{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.374{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.373{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.371{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.369{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.357{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.350{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.348{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.322{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.308{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.307{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.307{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.295{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.287{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.258{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.251{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.243{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.238{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.237{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.234{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.231{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.229{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.228{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.223{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.223{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EA4D640D120182F97AFF81FB08F426,SHA256=F66B1F7D06F86B1791D0B9F35AB382211C4323D701E2F760E77D2B1C6C2065EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.221{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:29.005{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BFACDF8DEB54C62C180C71A4638DE4,SHA256=1670B35A63A07EFFD14E78FB05D777C4FC22FD354BCEDCF600366ABE54D13A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.790{E8723972-A816-6356-ED0F-000000008902}74089720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.759{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.759{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000191242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.724{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943751D69362A2667B35057AD14E30EB,SHA256=659B5C59C09547FDA9A54862D5C23E449CED9883D055931A5BB57930DD61E6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.591{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.588{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:30.082{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89AAE95E279E0DCC1795FEF226D846,SHA256=35ECC73449180F351DAFB8BD798698AD8E4C6B53DFAA77CC8BE14139ADE63B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.951{E8723972-A817-6356-EF0F-000000008902}48567488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.781{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8989CCD0C43E22A7A4C8CCFB541CB3D1,SHA256=6195F3D773CDE853734C7BB4083E6870F7C54445D6D172B40BCB25030E5F56EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.750{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.746{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:28.744{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:31.163{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA8F3903E5736150B2CE83FFF0E124,SHA256=86C84B1E1C2900EC80208FFF6DF2A9C3750E3DD9C97E6DF168A0964F622F55B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.626{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B27CF57625A5A0CAB40A769A332F8F5,SHA256=48B36E266D385FDA19D68B6628A830169A6CB75ED711B721DF1C72E75FC93989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.578{E8723972-A817-6356-EE0F-000000008902}24088016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.925{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60465-false10.0.1.12-8000- 10341000x8000000000000000191257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.249{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.251{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.854{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000191280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.800{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA0C1F9E9F540E0CB3C58130F0CF2F1,SHA256=996F24DC27C0BA08664713E938F46BBD85613BB3D5378A63A415E91421D96E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:32.600{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F7E562BA3E2E32EB39F07B09CDF709E4,SHA256=DD2B62B2D83133828F8272C5B7A7C79D6D27E7A20687A679D0E655ADE9AA13BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:32.256{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6C361A2738F446D89B876234B87C24,SHA256=D1EF77FFAD4EE1369D6B036BFD8D02FEDF484EB6A401AEAB8093DFF55E70328B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.672{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.290{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7B230896722891C9FBE2F0E3AB66303,SHA256=FB2A2107954045E03BD54CB0ED0DFE54E2A39916A057B96F8CE8CFF308E34B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:33.821{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943A56F9C911B89BDF0D0CD2A3020F7,SHA256=FF9DB818061551F7776E92D547FB81B058FFEF8DAD887F9406A22BAABC0D6CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:33.371{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150321C7E810C388C6B9426536016691,SHA256=57B9333C70F013989CF7ECFE45CC973F9D83F308718E6A4AA5BE320AA8821F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:33.304{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5167F07D6EE9C9EBFA85932CF77C8CE0,SHA256=BF4A2A29C6FE4066D859F9523821B0AA9A594CE949C6173974ED03A7847128B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:34.845{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131C55A2115D2C8A8BF2F942F65D947F,SHA256=47F3B9075EB32F04ED43325B52FE42CE073B33D48C645E107AF051ACFDB45C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:34.460{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E85763F28AEEE220EDD2FBCC8C3FFE,SHA256=0A0BF4785636298DD22E4B97F66BC6D5BEE2903CC932F233B074FD1F4186FEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:35.554{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43B86B99FCE2048A7E00141D484EFC6,SHA256=7A5D48DAC8386B31C1A56FE6684AA8ED3046C8466DF13C562E21AC4E719D67D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.937{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C11F62358D7C0ED575B267A2EFEE3A,SHA256=92DE5BD52F550C978E32762A8D8496BCE78E7DB34E265866BA5EB3250305C786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:36.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB548BA18CFF73E9E1110C75604C6D8B,SHA256=CC2E782D05BB51EEAA52A65FF838EF39DFB956C8292786F276EDE0D57AA949B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.949{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A23A73BDC5673A07635EA73A8E8715B,SHA256=9B985A84EBA0A6CA0E63C39B96F11AE7079CB31CC72D00986CB469DB899AA28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.931{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6BB944697B572E574632FBE4DDB55822,SHA256=42EAC640F3718C6416FC14FE086F99ED80554F7AF989881585A87B956E60AE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.075{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=55898A4C2C7376421E486DA4EC10B198,SHA256=3FAA3DCC84C6E20CA1DB73A4034EC0C6C7A43D8D63BD73C1A9166954F47AF86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:37.733{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671EE2752952116AC24C5F03DD265B17,SHA256=A92F5883586DBB200106272C21F632EE026F6D2F14BD9D0520338DC83FFDD102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:34.747{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.838{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60467-false72.21.91.29-80http 354300x8000000000000000191297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.102{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60466-false10.0.1.12-8000- 23542300x8000000000000000191296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:37.459{E8723972-A811-6356-E80F-000000008902}8072NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\85901D9A10DB11178C1ACC091B3F87900667513CMD5=5752FA13D2040388B50D0A599B755AF9,SHA256=AEE8EB879D7B426CA2495C9989E6A039E0CB9B5FC46BDFFB53CC70B7A467018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:37.459{E8723972-A811-6356-E80F-000000008902}8072NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\85901D9A10DB11178C1ACC091B3F87900667513CMD5=D6A1DC2E53EB9C8135B71500AF196259,SHA256=0FDF371D1A90626666521A6BD13610AFF369DF52B3863816C156756C78B59A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:38.813{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8D221B53513A8759C32EA9313C5F95,SHA256=CC7091CDCA060A33AEE81A3BA03772C3CB82282192CC4A872810414F4BED3D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:38.702{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=542A49B473E5F032DA3EB6410040DA1F,SHA256=149C2F0C1597CAEA7FCE2AC62FC9F7E1BDF502DB088D2B1EBC88E73F65B5D45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.530{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60468-false72.21.91.29-80http 23542300x8000000000000000191299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:38.025{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7F4DECE8D0DDCAA2733AF33E1149AF,SHA256=D764DDA0C6FFC75DAF4D260CFD9630D379975CEA3C771B1EBDCA9BAA0CC8FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:39.902{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436A05A1F39A70E0D92C28E791983900,SHA256=175A4D0DA8A3BEC39D9C86EDEA70DA5B19D1C50B15C58FD305EBF42B02525C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:39.115{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B37AED88F75F95E30A9713B69124EFB,SHA256=DEF89E2CE279950E8C050B05B95C02637504BBA19CBD83B6F4C25099F0C6D96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:40.994{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F158087E0D186CA9F5D8E63CA311722,SHA256=8C24EC9123B25C58BED10AA65DB06075F4B1A9489341373D78813DB3E7A8C346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:40.131{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16F980EFA18093300796BE7FC4EE022,SHA256=149E0F120E830147A63E48F338E15CC7E42371CB451944FE8130B25A194501C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.990{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.989{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.989{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.777{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+1422b3|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+14221e|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+142203|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+142203|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+143eba|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+143ea8|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+143ea8|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.647{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13fd3da.TMPMD5=8554CEE29C03241DFB5882E9984AA700,SHA256=FB6542D6D734A4D8C127624D80AED6D404A14B78F01E3564E0322ACDDB2A2FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.616{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.585{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.585{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.577{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.577{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-A821-6356-F20F-000000008902}82129896C:\Windows\system32\conhost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-598A-6356-3A03-000000008902}27649004C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\shell32.dll+100749|C:\Windows\System32\shell32.dll+ff2f6|C:\Windows\System32\shell32.dll+f1bc9|C:\Windows\System32\shell32.dll+aefce|C:\Windows\System32\windows.storage.dll+12c92|C:\Windows\System32\windows.storage.dll+12989|C:\Windows\System32\windows.storage.dll+1285f|C:\Windows\System32\shell32.dll+f1c4f|C:\Windows\System32\shell32.dll+aefce|C:\Windows\System32\shell32.dll+fe2d3 154100x8000000000000000191305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.506{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 23542300x8000000000000000191304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.248{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600AAE4A579EF48DD0496CFACA08F750,SHA256=0505CAD316A32D198111ADB547D17CCF2DD196F6A9B6E714322A9990427FDB2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.133{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60469-false10.0.1.12-8000- 10341000x8000000000000000191363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.753{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.753{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.637{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB89E0988F4F130DE7C1661DB939E7A6,SHA256=D3158214CDBC3BC6D055F098133D8939F0747CD25466F48CF0AB332B8DAA9E42,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000191360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 14:58:42.606{E8723972-A821-6356-F10F-000000008902}9516\PSHost.133110971215064802.9516.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000191359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.606{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_zrvkwb5b.ue1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.598{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mooqjgva.1ix.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000191357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.482{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mooqjgva.1ix.ps12022-10-24 14:58:42.482 23542300x8000000000000000191356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.478{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFC6DEE79CE1DE41FBE4D6503465A45,SHA256=2E1CD97EACB9CC2D18C701D48027953767525040AE6117BA625978707107A1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.476{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D3895618CA70DDC89E77871E6EFDC0,SHA256=3EE68130648A05AE1682D4CEB2905B5138FBC680A9C05A0602A47FB02A96E963,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.475{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.470{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:39.937{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:42.078{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47851AB1967BBE5387D88E4C6CD2E7C,SHA256=0ED3576C06D5A57E92A993CE7F9A98B394139C1ACE6243C2E2D66F495D0A294B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:43.539{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5CD70B3B2D7660742A03D2DA28CE4C,SHA256=1FBDAE442B185D77C434205CC074009494E936DA91A3DEFA6320555F8E0210B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:43.515{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6679556A0B6F46E631405C6C14DA9852,SHA256=748B36D79EB74DA183D1B6EAC39330770F73F997C482B074BFB170ECC2D2CD5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.574{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.568{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.565{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.561{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.557{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.556{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.553{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.552{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.549{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.547{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.542{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.540{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.526{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.506{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.489{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.486{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.478{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.441{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.432{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.422{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.415{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.408{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.402{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.395{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.386{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.377{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.365{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.361{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.179{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26C6470D4F7E43E62EB37C8588FB6F,SHA256=AEF9DF262D59F746CDC0310541127373A499B69C28F65D653800BCEAEC7BC356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:44.596{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB931B61DBDD5024E3FF58AC3725415,SHA256=D91B36CA0D306583C28FF0963290178B8FFCBB66423E536446FAEFE8028CD877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:44.693{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:45.667{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBD4D64BA4F93A2E78F9FCA38A62678,SHA256=0AF08EA2DC45F1FBDF43EB57FCC2BA0EA31CE7E9975273DA5B849A29BD49560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:45.781{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF6DE4B36A7338860CCA855FA52C76C,SHA256=4FFE7975A433693548A33D35F5C486DD4DB656F1F334E8A0F7BE4F9EB76AC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:46.866{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CBA942CB7B9CDDD542377247D7E5B5,SHA256=12775DFB987AEDD346FE41F2A6889E4E94ECE2F513FBB2A9873308BE7952F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.787{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA5EDF558BA8D8AF5A7CE2B0AB1AED2,SHA256=C53A6BDE0CDA583ED60D939877A17E72FC55F1A5615CEFDC468B0E39B44A7F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.734{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.732{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.730{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.727{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.386{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.376{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.339{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.321{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.315{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.309{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.301{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.293{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.278{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.270{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.264{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.230{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.228{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.183{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:47.751{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009AFDC4CC829C6C863371D3532D4C56,SHA256=3CCFA7A2C62D7BE91588D6DA1FD12D8E2D3499D918BD0BA4B9CA3E6D8E9446DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:47.953{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4477925F233D29DA1DC4353C19EB4F,SHA256=D91147BABF882930015B32B6C86161E85EAD6BC6EFF16CA21863CDDE9167253A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.807{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48FFF7A63E1177F10BC2A3056ABED55,SHA256=DEFB5DE479177F00F9BD51F16CC795826A2B48665CFC7F0A6DF87861506A3BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.764{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.755{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000191397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.055{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60470-false10.0.1.12-8089- 10341000x8000000000000000191396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.749{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:45.919{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:47.057{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60471-false10.0.1.12-8000- 23542300x8000000000000000191450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.773{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A2C83FA242EFBFD0B0EC629CD6E291,SHA256=21E46416212CC50E77A3A4D55CDD5CE18AE80AAA3959936269B82A433211AC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:49.044{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6E04F220E9510FFB6E750519BC7CB6,SHA256=483659607582B201A105DB7513B0F41D9524DDEFB05AF0B107A82F221282F82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.570{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2F47BE5543517B8BEF086DE8017296,SHA256=FAA8AC33CEAFCA746EF344FE029EEB604255DCFAB2D89EA7967B8A7FF73CCD06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.495{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.488{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.481{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.479{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.477{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.475{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.472{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.469{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.466{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.463{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.458{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.456{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.453{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.437{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.436{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.435{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.433{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.429{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.426{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.423{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.420{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.412{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.381{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.378{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.367{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.353{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.345{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.312{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.306{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.297{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.292{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.291{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.288{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.283{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.282{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.278{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.276{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.274{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:50.806{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC8EC143F29715E009EC8B4FE4FFCA8,SHA256=C026069F95F8BF1D93B65966A364F329F3E125FCC64F5E5A9202926A876B30BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:50.242{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536DDF9A828E079C7480B049E0643F1,SHA256=965AB106624F537F954B6EEC6C4F359E8B64036A9D219B9A22D1E0E3B6D7E287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B96CC38B2B6018469607C46192D822,SHA256=5590A4D623921FA0F73A1E12519FE4792E434F48B60668BE0E845799B2C8EFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:51.329{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4B0017D3665AA2D0F754374089C05,SHA256=D8D0F04105E9B56837A139AE5684E7CAC53C92B286B9A298DABD1EFEF07D4775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.324{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.323{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:52.423{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4334EB75CE200DCBD814FE40E4642FF4,SHA256=2517F97F2B8E43116FB5336EA2DD4A1D43834D6EB5E1D4C6DAADF1F4D79E8803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:53.500{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF677A1D7612AB86ED5E2A66A075A10,SHA256=476745B3923D61AF4C535A9F36689AED28D5E92C128FB5810554A37E209DC2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:53.034{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49227AB7D771E8D397D069925328C7E,SHA256=AB360D54E2BA4C2314E2793B1704111E1F3C8A0A8563C1E54B85F36649988458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:51.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:54.578{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5FFD67C812D610211439B1067A03A9,SHA256=59DF6A77D15276433310F0ACB1481E53C26B8C75F2D56EB18149EECFD9941026,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:53.066{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60472-false10.0.1.12-8000- 23542300x8000000000000000191462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:54.095{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BDC2D8DEF21118A2F9DB33142A8BD6,SHA256=1B129EAD8C25AB35C685FB8F8B2EF3DF2C22CC76BD6E8D6F372A13B64FE4DBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:55.663{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D610D3906034B42E6E822DC7238C8,SHA256=18743EDE0E98FBE8A902A51ABA9728DDD9E13CED33825A51ABDFFA6F7BB930AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:55.165{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A52B605FD6DE7658939CCA376C5FD3F,SHA256=F9B19BDE9FED3E45F2E870DEA0BC01725756DFD3304AEB534A74E7EA07F404C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:56.735{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF91A625928110F7F2AE246BEB98DD,SHA256=1DBC291914C82F59073C851BBF0878133CE264AD714D4954E4EA8289B2CEEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.231{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7202E0F7344FD43234621B15248740,SHA256=6F3CEE82B29708226260DD59068C39653A5E3041772696DE0DC70368A3439E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.905{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.826{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C3D15EF81801628E86E23142288CB,SHA256=C388B4313E6A305689E9C96F33C2E288D8A3D0D16A750BC75EFF3E1183EB9A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.180{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51300- 354300x8000000000000000191469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.177{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60473-false161.71.11.52dcl7-ncg0-lhr4.la1-c2-lo3.salesforceliveagent.com443https 354300x8000000000000000191468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.117{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60091- 354300x8000000000000000191467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.092{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60091- 23542300x8000000000000000191466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.284{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD58EC0905C2B9BF4CD5E73F22165124,SHA256=444F1D339BBB774ABACD37E83FF1A7DBD52A5DBC88CC304F5856962AF042DD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.954{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB546E4AEDD183D9D7402430900CAA4,SHA256=642EFC6BC825B07686D5D87A8DD21319D45D969FD7BB0E22665B6AB412311AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.925{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D25C145EF448154DED85918ACCF5CA9,SHA256=68BBCBF64293F29E87F35039E5A4A802F02866391948C3A228DD035451BC30EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:58.386{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A41F7CE7D8930E496936618834B74B,SHA256=39B2BAD1A1B12AC01A64207BA229BCAE0C31110105168E6EA49389D20E51746C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.686{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AD68098F2292336F8727C8965F9AF526,SHA256=4FD0B24A0BB1BAB0ED864DA2935CA77443DFE8ACC624189456B7D0306345E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.561{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A1F5DFE58850B2ABF93078E38836674B,SHA256=06DDD2365AA489D39D8D09528609A94B2C97ABB9D67F1E1BDC2AEA4DC1F12DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.420{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000191472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.185{E8723972-5A49-6356-0405-000000008902}5716la1-c2-lo3.lo3.r.salesforceliveagent.com0161.71.11.52;161.71.11.180;161.71.8.180;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000191471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.185{E8723972-5A49-6356-0405-000000008902}5716d.la1-c2-lo3.salesforceliveagent.com0type: 5 la1-c2-lo3.salesforceliveagent.com;type: 5 la1-c2-lo3.lo3.r.salesforceliveagent.com;::ffff:161.71.8.180;::ffff:161.71.11.52;::ffff:161.71.11.180;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000191477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.829{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60474-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000191476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.829{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60474-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000191475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:59.465{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD248EF59A81C28495A28A6FF38EC1B5,SHA256=1361D653940DF872F99C1B686452ECEB5AC086B00842E48BF399BDE84472F699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:59.157{3A30D728-A832-6356-350A-000000008A02}17921012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:59.003{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE8172D0793FFBB82CE026157ABC594,SHA256=EEA42029EAA2D7730EFB9FB687F2A5C6CE7D618596941CCFD21B98474420B129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:58.104{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60475-false10.0.1.12-8000- 23542300x8000000000000000191479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:00.566{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39F4D5A2FA43E2D65D222F6D25D6C87,SHA256=7BB79D5D70417CBE9055C89152064AA8A102C35FCC4E99E73649BF12FD9E3035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.433{3A30D728-A834-6356-360A-000000008A02}1372968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.090{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.024{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D7A9D2D4D68B8E0E7C03815D3EE978,SHA256=82DBC2F77112F8F965F947A47CB29A121BFD87B11D81A602E595BF57A7DF8F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:00.166{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4C087555A0EE7FF2319EEE7AF28C6C7,SHA256=3C25A6E324B1C13721A56944188EACAAF86C202DF44B42AD51825718743DD130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:01.717{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CAA2D2838104087B862AED4CDD25FD,SHA256=29DB58924DC584FC6C4BBEC75B0A279DDEF790D5B3B59CFC9B617A43222D4CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.902{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.898{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.898{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.893{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.431{3A30D728-A835-6356-370A-000000008A02}19921084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.228{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.117{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FC3124C030AEB896679628CB01874,SHA256=8F80AD10A5CF3ACC6313D8CF88C97DC689B25741211B66B5DEAC5E73067CEB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:02.793{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F5164D926151A9440C16BCD9BFC225,SHA256=E24D541938F597EA8DAEF658AF2EA896903BC3D99794D66C763071EB60BE423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.794{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6E27E9995B1A8C2DFC0E070223D5F66,SHA256=76E5156F827707B38469F6526C249D8FEA92F7B89BCE6B1A049A003A594E4884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.372{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE495D792E102C8D7BA51985CD7C2B,SHA256=B2AD0168033CCFAA2EBDD4B802BB0451F957F01064DFC2BDC0EBF126474B3B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.107{3A30D728-A835-6356-380A-000000008A02}27323748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.872{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9903868E9734885CE8F6AF198EF2CC,SHA256=EFF72266FD4D2BA933C96F8CC3469E7F3EAF5F3D80C654E4EFE95A9A6CDCD2DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.636{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.632{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.629{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.626{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.625{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.621{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.620{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.616{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.615{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.611{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.609{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.607{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.605{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.596{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.587{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.549{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.536{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.492{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.484{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.473{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.465{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.456{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.449{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.439{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.428{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.412{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.412{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC353C288C3A4A2AC54371430C193950,SHA256=057F8EAFCC32A97E5D5925D129021B25EC7E5EB234591DEFA4F2A2C5A863F640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.389{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.374{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000191491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.495{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.495{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.929{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC334F286838106A81B03C85DA90444,SHA256=65B6A53099725E9B46E949873C8F60EDE7CF38D5599E2898EB7E150FC2685388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:04.662{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD79B9C24C1835DDEA9A4DF1AC5417D,SHA256=D5ED189FC0EF3313D7892E8850D368A091996E41CA6BCBA11061AF9CBA2A5409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.574{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E27B13735B811FC05E7FBE85EB5BBC60,SHA256=BEC9E6327194CE171A89EEAC8D81E54C57141E1AD78A6574685D0DBEF8404EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.239{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F0A9A6B686397AAD406936D405AF1BD,SHA256=ECF475E26C05B64A717927F5A6EE4EE75B1F286B163DF75387A25C0BCEDA93AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0B00-000000008A02}6243016C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.913{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.787{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D78A31803E5AFA30E283A84F88913A1,SHA256=CDB70DFBDF27C828AE24BE6B9871292E05318971CEC5840F5F616C190D2850DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.984{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60476-false10.0.1.12-8000- 10341000x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.008{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:06.870{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD00157B279A438DC0347FCA13E44170,SHA256=7CE3E850727349F423611679BF4135A7BAB7F68D5E923EB3A50DFD4D1EAABA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:06.105{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E3B2F9BFF1D3A930C44CD05972B6B2E,SHA256=54B8CD6C329E2B97D672E1050D6B2C1175E26061C7FCD3DC96D02CF5B7DE8510,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.795{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.791{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.789{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.783{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.390{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.381{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.376{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.370{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.367{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.366{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.364{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.340{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.334{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.322{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.318{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.311{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.302{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.294{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.283{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.276{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.267{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.260{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.224{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.221{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:06.015{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63E2C8B1F4144E498F8764159261622,SHA256=6651D1C2F46792B5B148113E5B8B7333E6A2C0598900566AB87034536948D2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:07.953{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11F8429C46D3F4FD83AAB4FDD9B2F68F,SHA256=AEC48C21AEC583B01D2623601201CA9350D57AE39C2FA3C0D9E2CFC95D98D822,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.840{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:07.059{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9CB50877DE1C8B27124DD73A6A3737,SHA256=5765C44DB1A6E5DA1A086B77BDA19F1A4E83A354162A9571336D864FA3DF956C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.841{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.841{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.841{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.838{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.827{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.826{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.820{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:08.151{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983E90322EAD0438B0C82CA647CC2B8C,SHA256=1793B5FB15B9407F31EC16622F4889B5BB0A1D6BEE8C8FB642560A4B41CDC831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:09.057{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651988093298F68FBB4BF5B549DF8976,SHA256=ACBC019F88D94BC078131DB0FD2FFCD4F1B5130DAC39CF4455EE65E17FE46C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.882{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CF569C982CEDC191104BEC08D2E600,SHA256=4AB1A46FE501A9CC4F37B6C04560001F33169D82E4CF73F55A85F19D04E90D1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.738{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.563{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.556{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.555{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.549{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.546{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.543{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.541{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.538{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.535{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.533{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.529{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.526{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.525{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.524{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.522{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.519{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.505{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.504{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.504{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.503{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.502{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.500{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.498{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.495{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.492{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.489{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.487{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.479{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.476{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.448{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.445{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.435{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.434{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.434{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.420{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.412{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.377{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.369{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.361{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.356{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.354{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.351{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.347{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.344{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.343{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.339{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.339{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.337{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.210{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E0117D3CF95613A2B37C4684B5A4E1,SHA256=E07BEACC391CE5723B2C05F9A29616247B9CB253A545F6C285F0790271BADCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:10.507{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EBC9E62150C08BE71780DCA3BA3719C,SHA256=8D94B8F229134A44A7D7B6418BA364E368637DD3FAA37D101D76737E170ABCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:10.140{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7B364E36394A360FEDAF251C4AE1494,SHA256=B58996351E4D2CCACF658E30FF3D1BDF7470B7DBD0B4B8873E7AE9897524854A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:09.023{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60477-false10.0.1.12-8000- 23542300x8000000000000000191618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:11.557{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6A3F56CD1DD1237C87417F5A77323E,SHA256=5394A1F1BBFE9E0E3CFE132192B79AE68E9CD88D5D281DBF6F39C43D09407203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:11.236{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6557A59B15D64F66E4A137CC8FEFAC4,SHA256=CB4FB6D4B3A9D815EBBCCD4DACAB7E4E78454A0A18542CF807A14CC9024296FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:12.626{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA31ADA8E79D6594C6470C8E3DF2BFA,SHA256=D4C5317027B58CF98BD0482E7FACDED2B11D5C6641362E627A7C3E6B83AF5A65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:09.820{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:12.323{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0A2FB96294919D09B94B299C698E5C,SHA256=83BB775C09249BE1D264256FC15FB5A87C333B5CBB1E171A455F213B2B37D869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:13.691{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E700E93AEE4021E5012B373675E69CAC,SHA256=AD4A908B070E460627309A5A8DE66EB00EF87E2097DE311AB3AC5354DD042234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:13.414{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F36633C4A985655B9E5437E94386CE1,SHA256=75A0E7A7B18A4209AD5518A922887DA70A08C7CD15C339077EE2248DBA01DB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:14.730{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97D0E651B193061774028F7021606FE,SHA256=5EFD9838A471A70E5B3F6B133B26F37CD6F138179FA2CB50098DA1B0DA3A4CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:14.509{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F047A245C55F8E9BF2B7713DBF65DD,SHA256=DEBB5692439D86F3ACE7429028919F23065F845BC5ED10BF7106BAB6F325AE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:15.865{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEB7C00819A6CB8C51E24B90DBC404A,SHA256=F99B18BAE6AC4AC17E2F5A34F606A3877D899A2D06BF680C2B483797C8D3AE1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:15.587{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDC36A9927D49EABB5CE78D121C4A32E,SHA256=3278D02FEBA8FA6E34CBB8C47D6EC1FE59742B5679DB7CDC36594CB65A360D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:16.949{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5F6A50B2242091FF7421856F5BE5DA,SHA256=D75A4E7B1E8F11BEBCF867E9E1EA51400390A6C968C2AB11F14D9705A2722255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:16.674{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6886FDE275DC17F32CEA00BAD228DC,SHA256=7250DC9A635AF37D50EB94E6547D0998D55BAC5AB97532C93CA6BEE9081D817B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:14.031{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60478-false10.0.1.12-8000- 23542300x800000000000000098757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:17.871{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:17.777{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5D8D04DDF9751D1B5FAB78AA9A2C582,SHA256=AF2CEC39BA2185DB80F5F56E6662191167E89D16758687EC9491BF4AD46068BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:17.049{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_145436MD5=BF3A9D399F13783D6AA4CEB1B50758A0,SHA256=CFF55D8EF4559A2B4B717E8117A6F27D8C6CFDB94B8D383A0E1D1CE72BF34E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:18.864{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726BF8586C0E0A7B3B79283B2629FD94,SHA256=F7FE9CDB4544ACA51C1A31B472C0691D70120418DDD0833BD8232C009EFB580B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:18.271{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7DE05253C4FE21E7EA26B7E9E1FC265,SHA256=3AB58801611342A08270705A8900F4CCB209D45AC5986B1924B68ED0FBE0C5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:18.019{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0692C7980490DCC82617A605C7243303,SHA256=B5B3DE14C865460ECFF1B23B56EB1A1BAC06EC08936297D556CF62BEF5A9F09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:14.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:19.969{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0234D791F3AA2F2A7AD9B3D8146C1B,SHA256=449E0918996DB7C59281626C5AC60B119AEE65753EAAE1C7ED904813F397EB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.688{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_145436MD5=74E174966361102963F5CDAB5D4D3ADC,SHA256=3E0F062979EA9D268EF3E3C673A4D05C234D6870C571282DCB31C8B0AACF0CEB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000191631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.683{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000191630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.683{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=C39D59AD8F8E168D638231D3D4771657,SHA256=31B3C02F1605C7957E5438CAFBB9DF8AB9E83C76B8EA92E1CD2C2225D8A3FE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:19.070{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85F212F027AF4DE6768A9EBAB21D80A,SHA256=EC6C949EED1A3C654689E5137E7208BE29E0DA8DB238B2B300C29142D781548B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:16.548{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000191634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:20.827{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-340MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:20.139{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316DEAF9B1EE516FB3006084ECA6C33D,SHA256=26B81F88DA3691DAB8FB3AD2A839EF447E6F649D5B2DC4FE92B840A0CA567A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:21.075{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC7CEFBD6375D1EC5DB47A5A577EC7B,SHA256=88D25B4B5A90F1CA4B71D178DC76E629EFFEF0D936181AEBF550AE2CEE532CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:21.827{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-341MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:21.205{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A48CD969C517250BE8A846F09E6B4,SHA256=3D39F48FC8C3DCBFFB5107D5BF8376FBD4E657EDBF3092166838E0CBD40C1FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:22.431{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-330MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:22.163{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03961CFCCFDCED8772514254D725269C,SHA256=0AF03CF9CBA04993E0367BDB91EB5C88283A4181E0E841EE602F720BAC747373,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.442{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.442{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.442{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.427{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:22.260{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1864DACF7C5F8B684A4E484775EE15,SHA256=F268B50A1E06F774285AABC58D8AA89ECB803C1D19100E087776B9F976CA1E85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:20.042{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60479-false10.0.1.12-8000- 10341000x800000000000000098795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.620{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.607{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.605{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.598{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.597{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.592{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.587{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.584{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.582{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.566{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.538{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.535{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.516{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.468{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.457{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.438{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x800000000000000098774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.431{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-331MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.427{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.420{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.415{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.408{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.401{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.389{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.376{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.373{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x800000000000000098765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:23.251{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C029C059A31AC6205165B57A56DA75,SHA256=F1ED44874AE2F28B7D528E9F3691A0551261AD8223B8C69375D1120439F80CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:23.305{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2A5EFFEA0FC0F1AB7ED928EEF596B5E,SHA256=6102A0472BCA79FBC2054118DB14493B05CA3B3422E307650F191A6D44415FD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:23.205{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:24.826{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B99D4233BE16B94FCD902815E3A7DD,SHA256=59670C51BB498423E92791594682A9068E1B5156CB0613AED4EE8B34B6426754,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:20.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.684{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF1407c11.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.507{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EABF269B4DA23AD129EBB8B0C7087DAF,SHA256=C8D60C82E66344D2BAD58740977F13076009EF238B10561A6E13E0EA0BBCFEDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.341{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.258{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.258{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.258{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.257{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.257{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.257{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.161{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.146{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.114{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.114{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.114{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-A4E8-6356-590F-000000008902}101129400C:\Windows\system32\cmd.exe{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.100{E8723972-A84C-6356-F30F-000000008902}8352C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000191648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:24.091{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:25.650{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8EEE485DB1426666A10D90A2808101,SHA256=645A906C0052586425ABAD1B686E7D5944E11A0396AC46474BB2BEBDB2F05E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:25.432{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CC3E60D82705923D1423F21F54C4A2,SHA256=E60F69BB242F3FA9ABCADC369A542DE25F77D2F1D9FE7EFF3A83D1761F34B407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:25.132{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B08F67B5BC9B3EDC13456C2E50455760,SHA256=F6270169839CC93A5C304003C823C0A30C4F487BBBFEA235A45D72AEBEEFBD13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:26.762{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8D38A717ADE2653B4ED17C928EF609,SHA256=5492F6FA6A7A169611747C4EA518F9BE317A6CA2A09A849C75AA74AE6A861E5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.758{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.756{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.754{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.751{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000191730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.722{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FD653D54A0F850661FEC6E49D75D19,SHA256=67409FEB0F78D7A66FA5D79AF984161A8765BB98771E7BB48393D910388960FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.684{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.683{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.682{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.681{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.680{E8723972-A84E-6356-F50F-000000008902}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.612{E8723972-5646-6356-1600-000000008902}13004384C:\Windows\system32\svchost.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.612{E8723972-5646-6356-1600-000000008902}13004384C:\Windows\system32\svchost.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.414{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.400{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.394{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.391{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.390{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.388{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.364{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.359{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.347{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.341{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.335{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.327{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.318{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.309{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.302{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.294{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.285{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.251{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.247{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.010{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.011{E8723972-A84E-6356-F40F-000000008902}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:27.860{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAF5469497E0917C07B28F39043894F,SHA256=89306E1B1BF31181395C65994611C1603220ACBB8E0E159D02FA22FEEA592053,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.808{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AD40B44EAA0C9B4CA52011BB254E42,SHA256=BE4E6A1DAB20AF418677DED329E6DA2CCA89E1ED0E9B5359CCE4C018F924BCE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.435{E8723972-A84F-6356-F60F-000000008902}56727300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.272{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.270{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.270{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.269{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.268{E8723972-A84F-6356-F60F-000000008902}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.095{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000191736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.095{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:27.095{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1408577.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:28.937{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EFFD468A879DAEDF92BAB5157F5F29,SHA256=26EDBA584DF57FEFA0D9001D665BE87F4641EC9ABE07E02962F2981FE91C0410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.937{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BC48FB861C9FA73156776D3A41D655,SHA256=0F348FE96DA9545C26DDA74B5BD311048F1414FDAC3E8C80A77DAD42C778391A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.817{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.802{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.786{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.783{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.768{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.716{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:28.213{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F7AC8B9C6FC60313F6FC0F949CACCA06,SHA256=753752F88B1D4C0F718587275999F5A82134D44418AE9C5F39F6008E34D6119B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:26.021{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60480-false10.0.1.12-8000- 23542300x8000000000000000191812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.889{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B747DF61137C5D1492A072354F9A05D,SHA256=2AF7B498C8EBC8EB212B761D117994EBC0D1E361C7C47E06E567775C34626500,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:26.850{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.629{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=412BDA8178368A4BE054BF74A31D26C5,SHA256=2B801136AD7F434B93D5A48CD036A028B527111C78843E961AD9A838399823FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.602{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2E575970656D83CE6C4CF16E9C3081,SHA256=F42B7FB6AFDAC453DC652F4CB243890A24ACE26B268E427A9576C054A4A7509A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.528{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.520{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.519{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.514{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.512{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.509{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.507{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.504{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.502{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.499{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.496{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.493{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.492{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.490{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.488{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.484{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.466{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.465{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.464{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.463{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.462{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.461{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.459{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.455{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.452{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.450{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.447{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.439{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.437{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.400{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.387{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.387{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.386{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.373{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.364{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.332{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.325{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.315{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.310{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.309{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.306{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.303{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.300{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.299{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.296{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.295{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:29.291{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000191829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.942{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C83F3BFAD9083CDCAB61194EB8887D0,SHA256=4115994B14B4870CD5F0CF84758C2A0809D5C4512EA34D38E8B308D04AE4AD0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:28.055{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl54411-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x800000000000000098803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:30.039{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4778820187D949ED8896F3380765F5D,SHA256=EB8B9557027B090827A5DAE2F412864749D808B9C0324D6C5EAA307CD88CB13C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.757{E8723972-A852-6356-F70F-000000008902}95486676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.593{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.591{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.590{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.590{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.589{E8723972-A852-6356-F70F-000000008902}9548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.017{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.017{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.017{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:30.001{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:31.131{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C192C312376EF73530F3A1F8D8A04EE,SHA256=CE92DE03BAB8E4C2D05D50203B5669AA97EA464D69AF4D8F5EA15205A4C6F618,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.820{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.821{E8723972-A853-6356-F90F-000000008902}1988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.693{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC6E3C666600804BB0732E97A2439317,SHA256=A24FAFFAF8676723E22B2BC2C5891135145614C42B4F98E55962B84C05523676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.439{E8723972-A853-6356-F80F-000000008902}75408568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.370{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.370{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.370{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.369{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.369{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.369{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.258{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.259{E8723972-A853-6356-F80F-000000008902}7540C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:32.232{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389A44378F6E059A9AAC1B31AD7A9A5D,SHA256=F695F7B86FCE9D51111D2EB26FEA75062570B4066E42F2097B4AB4335D474A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:32.186{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=71559C70289CF26AD20C2F3F0549BCF6,SHA256=97FBCE60BF018335C5293B184892F49C682764B8AA5B248ADF8CF14446EE46B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.677{E8723972-A854-6356-FA0F-000000008902}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.043{E8723972-A853-6356-F90F-000000008902}19885248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:32.028{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5AD01D33C399FFB6274E20FC5F2AC3,SHA256=1316B0B6F44E365800CAA42E01FB35A2030D5792DE18AE147C95F7F69F3C1DEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:33.323{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D79BE38504949C8E566EEC8C98E459,SHA256=7B17CC49DAFB662188D8331DCFCD37D5BB5DE19242C1AFFA7E071D3AEF146D4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:31.077{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60481-false10.0.1.12-8000- 23542300x8000000000000000191864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:33.096{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442185FEFF58432A54F604F59CE5A389,SHA256=FD311CA2C5123B3014F8B7DA61A518B54E1F8211F94C496C0CB8DAE0224489F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:34.278{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025995A083CA10AFAE723667018A8F0E,SHA256=AC5C07770DCA74439DB78B86FABE355BCEAC975B0EAACA240700E0543C94CB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:34.430{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB84258084FFDEBB241DF3E59454B6,SHA256=580EB87A05493FA249E83B134461E57456A9365875B6448216BF91B66FF3A910,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:32.834{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:35.515{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96F1D7AC6577DE2D32F9BC83F3599AD,SHA256=ABDBD41E2613B93D20FEC3B6527C63A0357309A7BBE9C4A26804B92514A15909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:35.425{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3C4B7A1A7C8F59F1FBB08E23CEF2F0,SHA256=4EE6470A24FA07EC03AD7CFC78055BDC5E70EB05C59C42174981F6EF15195FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:35.241{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F7E21ABBCEFEF7DCE1EC8A2AFD682DF,SHA256=427881D741D0F35F90B06E24BD669FFEBB56D5A1B101C80CC4B52C91ACA1E690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:36.592{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CE486A5BFF8D62A9B5F75CB4FC41DF,SHA256=4EC5E77968F90A6040C09149899598086960BB0DDC58EAD3BDEABB82E4D93D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:36.683{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=D402711DAEB719158E1C3E7FF9218B0E,SHA256=748BCEF8134C54489FFA2902E262EE4456D59B80D331BD4A81164ACBFF13378B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:36.481{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AF2DEBED830B969786F294CF7AC13A,SHA256=C00B611E6C09BBC834AAFC917982F139BC8CEBA1F593EC6358889000C4DE1BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:37.679{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3DB39EB534C89FCA74F566D7AD55DE,SHA256=DC4CFFE5C1FBBFC9D6B56B9981715ED1BFAAE4187C64F289D4BAD62FD6A4FE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:37.648{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88650CB0E4B4AA1A2CB1DB3DF5154EA5,SHA256=B5F863D1AF5FDE576ACF6F304333DBEAB86B8BA40E0378EC3447B3C62A955A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:37.567{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E59F5C30ED36ACF2BA1E17227BB62D3,SHA256=187EA9321E468043FED0A8B7C072564859BAC034C5367A2C9466288124F8C958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:38.664{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D10D18A0029D6F8613767673921B5F3D,SHA256=23CEBFFBC3002426AF0006EDA2A07457BD2E231C3DEDCC1137E0FD1FAEEAF154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:38.632{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D3EEC9466408E2BF50641E117A0E04,SHA256=BA886095D0443917DD083835C3791B0D2F4E68ED56710CDF35C586C79D580CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:39.737{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D89FBE1D5498DC11E3ED8A7D7A0A123,SHA256=550EC14CAE6CA365835D8D4B7E02B03E5BEE69E567996435F5A08C4170344495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:39.691{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83117312B5E9E05E62478751ECA9009D,SHA256=EB31E09B5902329007CA4A52D1E87E7149F61D58CD796A295DAAF0A39FC2903A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:37.070{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60482-false10.0.1.12-8000- 23542300x800000000000000098818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:40.828{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=052A47B7D0CC619AA345DE00970222A6,SHA256=C3198B0615773832A7B7917E849D18C61F68E860C5DFA216B3CA1B87756C24CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:40.837{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC9B50F0549C5F5750CD31243D0B884,SHA256=B064497686D93CD1DB212AD8C0BAE46872E8180F01D63594EB80A6D6A0DB8371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:41.863{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77EC7C776E41FAF84124571D7754483C,SHA256=48B4F00F72C3F009B14B94411F3A78CBF92125785C92791071DCB3E1206ED8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:41.912{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA90DE18604B7D59C14CB166A555143E,SHA256=F7D4CBF0CD8F951A1265D491AE445D4C22AA784C041ACDA75C9DB478A9389C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:42.942{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358D0DDC2113D6CCA03F1444D1D4B10F,SHA256=04816CDA0A79E4A7AFF9412D0964FC01820024359090219C1D7F4B551E24D805,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:38.841{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:43.968{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE8C4A75FE9BEFFDB204EAFBD5C54C2,SHA256=9D1DF44D07E69176FD3C52230E2CECB5784591F0B387B17951B03453487121A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.609{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.605{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.603{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.596{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.594{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.582{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.578{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.576{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.573{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.571{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.548{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.536{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.512{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.509{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.496{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.470{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.463{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.450{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.442{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.431{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.421{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.411{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.401{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.389{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.375{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000098822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.370{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x800000000000000098821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.009{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E627963FF2D3A8E27D410D93B3DC50,SHA256=7F7F087930259F6D5A2D7B066CE98EF8BDB5CD8B6781160ED8A81450DB94043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:44.142{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26EB00DD8A2E9E19114B542406AB8ED,SHA256=0CC8664BAC24F9D2D55847E6BADCCCE0FCE8A09D1D634DFFE49BCC69E0F49DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:42.930{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60483-false10.0.1.12-8000- 23542300x8000000000000000191878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:45.047{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CC395A3541E79129684561F57D1191,SHA256=44952B3F5031DC30EB5CD004F30399E32EDCF98CC7CB3AE90E035848C15004D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:45.196{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC91D7884703A791291DB07DFF265503,SHA256=364F4053A4FC0CA6C5E885E021FE0C0C3C4031D2F8F6543B2CFA52A67545180E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.716{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.714{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.712{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.709{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.415{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.397{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.387{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.381{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.377{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.373{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.352{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.346{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.334{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.330{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.323{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.316{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.307{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.298{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.292{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.284{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.277{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.237{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000191882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.235{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000191881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.189{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.173{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B200D1D8583F4535DC6CF6F0CDB2E5AC,SHA256=79629962536BEC1766C9B0EA6AC2137E91EE7E1C02585CCF435DF5723D0D35F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:46.278{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5724D44D217981E9383457B166CEC2,SHA256=39F849BEBA3BAEA131689707BD3F9B79E10141DEEBB1E76E4790C78DFC827206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:47.355{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F80B33451FBCA3626416A135712751AC,SHA256=AED9C9235EA268DF7BF2004639969126A7A0CDADB75B711A14E9B3ABA0D08DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:47.191{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21B7164E3923399482A1D3BB403D8DC,SHA256=43C12FC3F999C77B18E2E849E7A2DD9910BB3B25ACCE1B7CBCBEB676DE163D61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:43.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53687-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:48.441{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5C66D18641690F84704CA0781231096,SHA256=FB886DD429F051DD681D42E6E942E43BCC6A485274E530C515EA5DC4C006FA76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.745{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.744{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.739{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.278{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2B5461A97C9E28D07B6389A4DFF4A4,SHA256=2D1980A2C87952C9F16D4C25C001CA9444508757D8FB00B43F6BB4FF35729172,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.542{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54450- 354300x8000000000000000191910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.539{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60485-false161.71.8.180dcl2-ncg0-lhr4.la1-c2-lo3.salesforceliveagent.com443https 354300x8000000000000000191909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.479{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59584- 354300x8000000000000000191908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.453{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59584- 354300x8000000000000000191907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.077{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60484-false10.0.1.12-8089- 22542200x8000000000000000191966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.547{E8723972-5A49-6356-0405-000000008902}5716la1-c2-lo3.lo3.r.salesforceliveagent.com0161.71.11.180;161.71.9.180;161.71.11.52;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000191965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:46.546{E8723972-5A49-6356-0405-000000008902}5716d.la1-c2-lo3.salesforceliveagent.com0type: 5 la1-c2-lo3.salesforceliveagent.com;type: 5 la1-c2-lo3.lo3.r.salesforceliveagent.com;::ffff:161.71.11.52;::ffff:161.71.11.180;::ffff:161.71.9.180;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000191964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.490{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.482{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.481{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.477{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.475{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.472{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.470{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.467{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.464{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.462{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.459{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.456{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.455{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.454{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.451{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.447{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.432{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.431{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.431{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.430{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.429{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.428{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.424{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.420{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.417{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.415{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.412{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.402{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.399{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.370{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.366{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.365{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4761AD7914053DD5E7928970521EC7,SHA256=8DCA7995AA04D37D70ECD3465745D414F5438BA2192CE0494FD20BDF519758C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.356{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.355{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.354{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.337{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.329{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x800000000000000098857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:49.534{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC8AA9AF937A8B70F5C1FF303AC82DC,SHA256=B2D9D71B372A0D351412454D8E6BCD42503591CCFB703E0906C0ECE84907E965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.296{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.289{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.279{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.274{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.273{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.270{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.267{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.265{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.264{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.261{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.259{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000191916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:49.257{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000191969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:50.979{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4626C2612C7E63A452ED0B237E3CE4A6,SHA256=D94A158E7FC068210A3DA9CECF01B6B108B42A4CA57E10DFFADD09FDC0E1A6B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:50.628{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7536145A4EA5C61478745C2B4D5F8253,SHA256=FC0A48BFAF8CE2EDE3DBEF3D33D8B4549A38022AE1230ACD503F5CE1AAACFAA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.943{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60486-false10.0.1.12-8000- 354300x8000000000000000191967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:48.096{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54586- 23542300x800000000000000098859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:51.719{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5324A1DA74C81725DAF0F29853CDEA,SHA256=3795D522CDA97FDB0A8FE2111D0311A6534AAAA3715ABE49B8CB8255D9110E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:52.814{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D075E8A654DE1D228DC246F940914527,SHA256=4E5A0255D6F0881E317F3562CEAEA8EF28C0B460673E7501C49A6590B45671D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:52.029{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F99330C387E90964D0F5D788A85A34,SHA256=5D88CDB7822D98E80730CE56D545857BE80FCB3C997C09CA029BA20B273BA670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:53.910{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F226F9507D1B338AB6CE1CB39B20B9,SHA256=B130331D896E7C07516D5708ACABFEC8BD6AD4557ABFA4C04447DC5BF42D90EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:53.158{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7A86DEF0837353E90F5DF5A4303AFF,SHA256=2DD2B6C7F3294F46BF01DA5D1D3B9780AECFD27C2898B8812AB1626985C083C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:49.742{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:54.994{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E78CB2815AAD4E600EBEB8D36FAAB0A,SHA256=EFF47DA837A1EA8A20B6B3985F5AFBC611C3D8A4900EE169E9FE006CE0FB5AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.982{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCBEEDD524F60791B30964DFE9D45D1,SHA256=1A7A469DD36653CAC41A6DBD8C11FC91F5B4368A84EF8F5E518AD1D5828D66D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+40098|C:\Program Files\Notepad++\notepad++.exe+4146d|C:\Program Files\Notepad++\notepad++.exe+f24c3|C:\Program Files\Notepad++\notepad++.exe+d4fce 10341000x8000000000000000192035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+40098|C:\Program Files\Notepad++\notepad++.exe+4146d|C:\Program Files\Notepad++\notepad++.exe+f24c3|C:\Program Files\Notepad++\notepad++.exe+d4fce 10341000x8000000000000000192034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x8000000000000000192033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.859{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\System32\SHELL32.dll+ba960|C:\Windows\System32\SHELL32.dll+ba88d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+40098 734700x8000000000000000192032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.659{E8723972-5654-6356-2700-000000008902}2636C:\Windows\System32\dfssvc.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000192031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.667{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000192024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.659{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.644{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.643{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.642{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.642{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.642{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.641{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.641{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.641{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.639{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.638{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000192001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.637{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000192000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.635{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.635{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.635{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.634{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000191996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.633{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.633{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.632{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.632{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000191992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000191991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000191988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.566{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x8000000000000000191987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.541{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000191986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.540{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+b9db7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834|C:\Windows\System32\win32u.dll+10c4 10341000x8000000000000000191985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654|C:\Windows\System32\SHELL32.dll+13f3d3|C:\Windows\System32\SHELL32.dll+13f44f|C:\Windows\System32\SHELL32.dll+13f21a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x8000000000000000191984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654|C:\Windows\System32\SHELL32.dll+13f3d3|C:\Windows\System32\SHELL32.dll+13f44f|C:\Windows\System32\SHELL32.dll+13f21a|C:\Windows\System32\COMDLG32.dll+10e08 10341000x8000000000000000191983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654 10341000x8000000000000000191982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.504{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+1400b3|C:\Windows\System32\SHELL32.dll+13f654|C:\Windows\System32\SHELL32.dll+13f3d3 10341000x8000000000000000191981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.497{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb771|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000191980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.482{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bb6ed|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x8000000000000000191979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.482{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000191978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.482{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+bb6d1|C:\Windows\System32\SHELL32.dll+ba2e3|C:\Windows\System32\SHELL32.dll+ba214|C:\Windows\System32\SHELL32.dll+b9cb2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+6cf83|C:\Windows\System32\SHELL32.dll+6d2c4|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x8000000000000000191977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.459{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+11f14e|C:\Windows\System32\windows.storage.dll+11e956|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE72AB5)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EF00635)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9834 10341000x8000000000000000191976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f265|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f|C:\Windows\System32\SHELL32.dll+13ff02|C:\Windows\System32\SHELL32.dll+13fa22|C:\Windows\System32\SHELL32.dll+13f63f|C:\Windows\System32\SHELL32.dll+13f3d3 10341000x8000000000000000191975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+11f1e1|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f|C:\Windows\System32\SHELL32.dll+13ff02|C:\Windows\System32\SHELL32.dll+13fa22|C:\Windows\System32\SHELL32.dll+13f63f|C:\Windows\System32\SHELL32.dll+13f3d3 10341000x8000000000000000191974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f 10341000x8000000000000000191973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.443{E8723972-59DF-6356-B003-000000008902}44407108C:\Program Files\Notepad++\notepad++.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+11f1c5|C:\Windows\System32\windows.storage.dll+11f103|C:\Windows\System32\windows.storage.dll+11ebe8|C:\Windows\System32\windows.storage.dll+11e85b|C:\Windows\System32\windows.storage.dll+85775|C:\Windows\System32\windows.storage.dll+87126|C:\Windows\System32\windows.storage.dll+879a1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+e020c|C:\Windows\System32\SHELL32.dll+dfd55|C:\Windows\System32\SHELL32.dll+e086d|C:\Windows\System32\SHELL32.dll+e3e8f|C:\Windows\System32\SHELL32.dll+13ff02 23542300x8000000000000000191972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.182{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A7BF01ADB49175C2B245492372EBCF,SHA256=1F528F8A36C0D2CBDB171B32A2B2DD20D73FC155F8666EB89EF00EC58F095D6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.984{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.984{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.984{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.745{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE8F6100523565CB6E03CE9D1E840ECC,SHA256=645CC2C80436EA98FC98F874082AAC929B9A9D7ECDD679A5470E74FD1F3D42D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.585{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=28D79F096F6F3DB6C5D5BD86430A193B,SHA256=8CE225B34141FEA6FF08EC0DA2E093BAAA348B8479218AD59A8BE299413F77ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:55.299{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96239C9BBFE783E884D720C27AC94223,SHA256=550E4E38C248560BB8FDC7A54B580CFE6CABCCDD02EB3EB711746D5CA0286575,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000192053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.536{E8723972-5654-6356-2700-000000008902}2636win-dc-ctus-attack-range-702.attackrange.local0fe80::75c1:3a3a:67d4:9dd2;::ffff:10.0.1.14;C:\Windows\System32\dfssvc.exe 23542300x8000000000000000192052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:56.384{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F523C0D32D5DACE6D9FB07E41895AF,SHA256=6DBE97FC92786A8B4D52D0F958DCFE4F6CF906BBFAB87F2A813C00BC676B76BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.552{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60490-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.552{E8723972-5654-6356-2700-000000008902}2636C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60490-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.534{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60489-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.534{E8723972-5654-6356-2700-000000008902}2636C:\Windows\System32\dfssvc.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60489-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.520{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60488-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:54.520{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60488-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:53.947{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60487-false10.0.1.12-8000- 23542300x800000000000000098864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:56.084{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A4202321451ED3B292319A2D03CFA0,SHA256=F1DD9CE13576B840329807A92BB00479A2C1F8B04731E99731E24DDB33E0D07E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.399{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AA375FE981EE824088F173BB757906,SHA256=9D59AC6933FA504C0C1AFEC8937610D3C13737167248A02CB89B0508278A287B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.917{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.918{3A30D728-A86D-6356-3A0A-000000008A02}2824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:57.170{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7622A27041454BDF5E7BB4BF68D2D3AB,SHA256=E28D7BC31413755A3DCE5E6E0A602DD28E0DB92C7E25750B8D20A19594FA2065,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000192055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.115{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000192054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.115{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=D679CB8E34316319E728022F17DD5A5C,SHA256=062A8BE0E41E4DB441D5E580B23AE4A6A1B3C4A82B72CE322C917689F75367A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:58.502{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A4B2C690B0E1BF7482242107B2B2CC,SHA256=AC03409F304A552ED77135FBCC7B063A32249704A7A57E223A94840E8E9A2B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:55.738{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53689-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.571{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8799EF8A053C87E991B90A9185CEDA78,SHA256=9B289D792A52B54AFB336D42B0F6A2F25AA3BAC5C3861ED7ED882C6DB160576E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.493{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.494{3A30D728-A86E-6356-3B0A-000000008A02}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.463{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DAE6716E23FEC75446E32600C0C3AE65,SHA256=735AC4B2251DD128AF911A8EFCC6D167FC79B48DCA4B1862AB9E76C28D04626E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.245{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246BE63003E298572411DBB4E75AB550,SHA256=62C3F55C1C6B623B1DDD00E5D11240E5DCD645932C7711725CAFE1712BDF7D37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:58.121{3A30D728-A86D-6356-3A0A-000000008A02}28242580C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:59.768{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE2AEEE7968E58B8F0F7AABA4E074154,SHA256=984AEA24C9D19D4108BD21484A5C2824063FED8235E8E1811A9D882E25AFA123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:59.614{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45978C3B481F1DEB6C0F53C731FECB84,SHA256=9F4D930AE8E4A4680F0EBFDCC8A6C19FC5544D62248CDD344292571640730E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.446{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51A18F853422F4E247A74E60C596E7D,SHA256=38C3D1084551FBBC1C8E37E365AC03BF03D18D4701FF83DD2ACA7007A393AEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.850{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60491-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:57.849{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60491-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 10341000x800000000000000098910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.117{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.118{3A30D728-A86F-6356-3C0A-000000008A02}2404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:59.008{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A81190760EC3FC934D0E4AAB96D3F4CD,SHA256=2AF325029341D2383F5BB752A276F1F978E947188A84A72D4919A4EF78D4CE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:00.640{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C70E97210FFD642B753D1D6E2F248C,SHA256=869A779B44C01D3B34012CE7FC7FDFC2F79C5018269D457634F3EA7FF4350545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.544{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF12521CF4D12FF72B30E61B22F18D9,SHA256=7FD702C7930E3C048957532F9E9BB52FAAB835F4AD0D2BB926BD759DB81FCC47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.263{3A30D728-A870-6356-3D0A-000000008A02}2964580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.091{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:00.092{3A30D728-A870-6356-3D0A-000000008A02}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000192070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 10341000x8000000000000000192069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 10341000x8000000000000000192068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+121a2d5|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 10341000x8000000000000000192067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.869{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7b219|C:\Program Files\Mozilla Firefox\xul.dll+e7b4fb|C:\Program Files\Mozilla Firefox\xul.dll+121a1ab|C:\Program Files\Mozilla Firefox\xul.dll+e77df7|C:\Program Files\Mozilla Firefox\xul.dll+e5b267|C:\Program Files\Mozilla Firefox\xul.dll+1fd3342|C:\Program Files\Mozilla Firefox\xul.dll+1aa5caa|C:\Program Files\Mozilla Firefox\xul.dll+1aa835d|C:\Program Files\Mozilla Firefox\xul.dll+1ebe0b2|UNKNOWN(00000047E9CC32E3) 23542300x8000000000000000192066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1529F0EDACAD60E0992ABE9F47F37429,SHA256=B7650F81B38A88FA273C5CA65D679D3ED7F577A6C21042608F14A1A0BCF932FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.746{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.747{3A30D728-A871-6356-3F0A-000000008A02}2772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.637{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B770DC46DF69FE63CFEC8E9D52CBC4,SHA256=471195958F8DDA3F0EB709D22004916AB7F10FA130C8DB14B45ADD656BAED404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.450{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.441{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:01.441{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.514{3A30D728-A871-6356-3E0A-000000008A02}25564036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.245{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.246{3A30D728-A871-6356-3E0A-000000008A02}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:02.728{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C392028293DB980272B8E42042080DB4,SHA256=B6C53A5A8837A670CAFF50A58A7A6FEDE810F15C19CE1DA5FB5769B3565DFF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:02.792{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207E3786659D67AC339946DD7992766C,SHA256=A156A65822A42789DB27D990FCE6AE7090E13CCDEBC54624BB03560F98FCD5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:59.956{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60492-false10.0.1.12-8000- 23542300x800000000000000098956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:02.386{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=24A4A76CB83C832B2373EB525688C255,SHA256=96BCB4A3A966C7FB4AD60B0ADF148284345E7E9F01ABCEF761A3BC2FE9F7D316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:02.028{3A30D728-A871-6356-3F0A-000000008A02}27721336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.841{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.838{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.835{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.832{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.831{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.826{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.825{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.820{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.818{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.815{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.812{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.798{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.797{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BC6FE4722F17F2FDC904FDEC938797C,SHA256=89FFB77D8FF735DB6D1BD45AE2E2918FFB54F68321DA77B7471C3A9A7AAB369E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.792{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.773{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.757{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.733{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000192077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.876{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:03.808{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1D63E500781916C59DE4245DE7A539,SHA256=DF34699A62595A76C386DA0FCD6510827FAED7B2176570E22B2CEB2075DCAD57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.728{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.714{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.666{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.659{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.650{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.642{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.630{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.620{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.603{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.525{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.486{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.391{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:03.387{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:04.876{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2D44694DD502730634955A4B4B6A96,SHA256=184A15B9A53A6DE1A3AA449CD63B4AE843501BF3572106CBF47E013A27F44F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.875{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87ED4FB4D4FFFE23547510D2B1F7A63,SHA256=DF807CB4C80267011FEFCE159018E713185853070C7102004738891981144940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.960{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B284F3B5000F4437A0CD0C9842489F05,SHA256=662B37F47D0EAAF68B6E5981BD43BA523C86A3B6963F1743CADE4CDD70C632F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:05.907{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B305FB67768B80C0A65C9BC1FC1451E2,SHA256=D77FEF1BC25802976C26A2BB5A6739BA6C2EEE88404A6F19FC591AB218FB2A84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:01.749{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.015{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.014{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.012{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:05.011{3A30D728-A875-6356-400A-000000008A02}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:06.939{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1BF4051D6198C64BA910F854C47D64,SHA256=3F9D45E2A43335FBFC6644B54254F1A368EE3BA6630A7A72A36BC34E85CE17B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:06.176{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CE056692DAD2E425FFCD98B74B7C500,SHA256=6AEC805BB4D495E376FE06686BF36D14A95DC77399C68EA0639CA27B29137E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.790{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.788{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.786{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.783{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 22542200x8000000000000000192106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.269{E8723972-5A49-6356-0405-000000008902}5716www.google.com02607:f8b0:4009:818::2004;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.268{E8723972-5A49-6356-0405-000000008902}5716www.google.com0142.250.191.164;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.267{E8723972-5A49-6356-0405-000000008902}5716www.google.com0::ffff:142.250.191.164;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.405{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.396{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.388{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000192100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.264{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55894-false142.250.191.164ord38s30-in-f4.1e100.net443https 354300x8000000000000000192099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.264{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59258- 354300x8000000000000000192098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.263{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53051- 354300x8000000000000000192097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.260{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55893- 10341000x8000000000000000192096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.382{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.377{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.352{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.347{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.335{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.330{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.323{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.313{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.305{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.294{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.275{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.268{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.227{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:06.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.974{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.953{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.923{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.915{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+43b02c6|C:\Program Files\Mozilla Firefox\xul.dll+2465108|C:\Program Files\Mozilla Firefox\xul.dll+9acb0e|C:\Program Files\Mozilla Firefox\xul.dll+965151|C:\Program Files\Mozilla Firefox\xul.dll+17f0c8|C:\Program Files\Mozilla Firefox\xul.dll+9b04e5|C:\Program Files\Mozilla Firefox\xul.dll+453a186|C:\Program Files\Mozilla Firefox\xul.dll+9712ea|C:\Program Files\Mozilla Firefox\xul.dll+974391|C:\Program Files\Mozilla Firefox\xul.dll+972ffb|C:\Program Files\Mozilla Firefox\xul.dll+972225|C:\Program Files\Mozilla Firefox\xul.dll+97d711|C:\Program Files\Mozilla Firefox\xul.dll+8afee2|C:\Program Files\Mozilla Firefox\xul.dll+82dd1f|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4 23542300x8000000000000000192113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.816{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\formhistory.sqlite-journalMD5=003AA3EAA40F825C33C92B033F1A28D3,SHA256=D6F4D1B1D7EC775A8C6D5D0723FAF2CBD71892777B630695B110117D7C9A09E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:04.968{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60493-false10.0.1.12-8000- 23542300x8000000000000000192111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.040{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5961FF3FC64C3F9D322E211D2AF7283C,SHA256=53BAA4458C78889375D24F8F3A22DCB232EC00E1D96EF1B295E42A83686C72B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:08.028{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9D30809F676808FEBE5367D91777FE,SHA256=20C586B6F8575AC103B560D38C9759B4849ABFECBB0FE1E1B3E50A45F6FBF30B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.986{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.5594171981024703238C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.5594171981024703238C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:08.974{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.283.153585524C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.970{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:08.970{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.930{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.930{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.926{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.925{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.283.1535855244\1838015248" -childID 280 -isForBrowser -prefsHandle 10504 -prefMapHandle 11496 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {975cb97c-96ed-4efe-950b-51d840b8a058} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 7440 1ddbc716e58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000192150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.922{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.918{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000192124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:08.918{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.283.153585524C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000192123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.697{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54893- 354300x8000000000000000192122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.695{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51037- 10341000x8000000000000000192121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.809{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.807{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.802{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000192118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.053{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B61075FD1719A9624269AE383825248,SHA256=C1B5EC392A7D95E953FE350CE7DAB226EE2D1A5B30774804E0B53FF5432AAD25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:09.122{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D262B9738B386380B6794939FF2C36DA,SHA256=E4E998D0320973EC017F0C282F171BCB55344BBED06BA050B128051D72135968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.929{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62B75FBD65E9783FE166A51BF9EFB544,SHA256=734E65744AA494E6539296413C10E3F0C10F333C2115A2FC012404C2D7538CD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.786{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60495-false142.251.32.10ord38s33-in-f10.1e100.net443https 354300x8000000000000000192235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.768{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52443- 354300x8000000000000000192234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.743{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60833-false172.217.2.34atl14s78-in-f2.1e100.net443https 354300x8000000000000000192233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.742{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55011- 22542200x8000000000000000192232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.834{E8723972-5A49-6356-0405-000000008902}5716iad.edge2.salesforce.com013.110.24.11;13.110.24.13;13.110.24.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.833{E8723972-5A49-6356-0405-000000008902}5716portal.microfocus.com0type: 5 portal.microfocus.com.00D1t000000vhDPEAY.live.siteforce.com;type: 5 n.edge2.salesforce.com;type: 5 virginia.edge2.salesforce.com;type: 5 iad.edge2.salesforce.com;::ffff:13.110.24.10;::ffff:13.110.24.11;::ffff:13.110.24.13;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000192230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.639{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FE1A63999B8790CBB3CB68D12882C6,SHA256=4CE1522405A3D7523CD19DB5803A49A744A7EA6E96A4871E73CAF163199944B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.600{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.600{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.600{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.508{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.501{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.500{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.497{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.495{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.493{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.490{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.484{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.484{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.482{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.481{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.478{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.464{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.464{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.463{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.462{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.461{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.458{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.455{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.453{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.450{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.448{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.440{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.414{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000192195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.163{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60830- 354300x8000000000000000192194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.851{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54510- 10341000x8000000000000000192193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.401{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.400{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.399{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.387{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.350{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.343{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.335{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.331{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.329{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.327{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.324{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.322{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.321{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000192177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.314{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000192176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.840{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60494-false13.110.24.10sledge2-iad.slb.sfdcsvc.net443https 354300x8000000000000000192175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:07.829{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55506- 23542300x8000000000000000192174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8668A114D859FCE1584298A75EE96D6,SHA256=460FC6666BBF90BE79DC12B3DCFE9658EAEE557CC6B88F957563210649940833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F104450969FA1D14E58956741D7893B4,SHA256=58CF583530D75CF5268C890007BDBAFE7690C4894DEA607D9E9265FA88838822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.022{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.022{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.010{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:09.010{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:09.002{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-279C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:09.002{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-279C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000099010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:06.877{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:10.207{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865062055476C82FBDECF80FB90BD049,SHA256=409BD577461B8116E27A9FCFB8F2D34BEB2B13EB88F66B9A2E0E2F68BB37A2FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.880{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e7ae27|C:\Program Files\Mozilla Firefox\xul.dll+855845|C:\Program Files\Mozilla Firefox\xul.dll+84891a|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.872{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+43b02c6|C:\Program Files\Mozilla Firefox\xul.dll+2465108|C:\Program Files\Mozilla Firefox\xul.dll+9acb0e|C:\Program Files\Mozilla Firefox\xul.dll+965151|C:\Program Files\Mozilla Firefox\xul.dll+17f0c8|C:\Program Files\Mozilla Firefox\xul.dll+9b04e5|C:\Program Files\Mozilla Firefox\xul.dll+9712ea|C:\Program Files\Mozilla Firefox\xul.dll+974391|C:\Program Files\Mozilla Firefox\xul.dll+972ffb|C:\Program Files\Mozilla Firefox\xul.dll+972225|C:\Program Files\Mozilla Firefox\xul.dll+97d711|C:\Program Files\Mozilla Firefox\xul.dll+8afee2|C:\Program Files\Mozilla Firefox\xul.dll+82dd1f|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad 23542300x8000000000000000192240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.528{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\permissions.sqlite-journalMD5=CF467F679F99AC28E36EE844438DA035,SHA256=44BAAAF03357199B1F412A22A090737B59EE38FFE40BDDEF9B1A3AC29A3318B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:08.820{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54131- 23542300x8000000000000000192238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.145{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124BFBD223CC7414A9D9CCC563208A78,SHA256=0C5365F0FC523328A97F470806975BAFF9A2797638752F5EAC7C7DBF0894B649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:11.303{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E6CA54FF694A57537BC3AC1C1F05B,SHA256=60AD67D83ADC31DA89C6208B938335D26750E53D33E3BB223104F41D21D60F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.963{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.963{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.951{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.951{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.944{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-280C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:11.944{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-280C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.927{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.11327264078723547024C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000192295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.11327264078723547024C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.923{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.284.79720461C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000192292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.919{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000192291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:00:11.919{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000192290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.801{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52616- 10341000x8000000000000000192289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.891{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.887{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.883{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.884{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.284.797204616\1428898433" -childID 281 -isForBrowser -prefsHandle 6868 -prefMapHandle 5888 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4e5c074-c88a-4005-98c2-dc771509129c} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 9580 1ddc52fdb58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000192280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.879{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.875{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000192254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:00:11.875{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.284.79720461C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.540{E8723972-5A49-6356-0405-000000008902}5716e13636.dscb.akamaiedge.net02600:1408:c400:790::3544;2600:1408:c400:789::3544;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000192252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.538{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60497-false23.61.192.183a23-61-192-183.deploy.static.akamaitechnologies.com443https 354300x8000000000000000192251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.516{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local62304- 354300x8000000000000000192250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.515{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53880- 354300x8000000000000000192249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.515{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-59412- 354300x8000000000000000192248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.491{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52243- 354300x8000000000000000192247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.487{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local58034- 354300x8000000000000000192246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.487{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59412- 354300x8000000000000000192245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.000{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60496-false10.0.1.12-8000- 23542300x8000000000000000192244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.159{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7AABDDD6602041E9548158B359E082,SHA256=09FB8E21783074DC76E65F90014B750AAB8C21F0144FB6CDCD7171AAC7DB68F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.131{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:12.397{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D598928F835C23BE62FF7BE3602B3C5B,SHA256=86D2E0F7B21B87A30601B72D8D1618479629F38B30836594580F4D8AB922E26A,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000192317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.808{E8723972-5A49-6356-0405-000000008902}5716part-0012.t-0009.fbs1-t-msedge.net02620:1ec:40::40;2620:1ec:49::40;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000192316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.807{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\25820MD5=904415D33127620F465EBF3E0AFF1483,SHA256=DF4200E04E7BF64DBC2FACC24BB0CB28F0647075494CC93A5A17ECDD2A53BDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.807{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\29105MD5=F9607DAC2887A0E56855B114523A5123,SHA256=14890FA159F6356EDE94ED27D13155CAA41D32E90DCB9079C2B9364D3D6E4219,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.609{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000192308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.243{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9FDF90D8E1726574ABB780C320D12F0,SHA256=DCFC2EC406FA2D5EDD419ADE382FA6936FA4E7E818685D1597AC268E2B0B61D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.241{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E69B88490D3A5B548C8CE870D613525,SHA256=5F2F8ACE6F3E0FC9091F87E0B90E5996353651FF7D34DFDE4A8217C4D0F2318D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.819{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60499-false13.107.219.40-443https 354300x8000000000000000192305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:10.815{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60498-false13.107.219.40-443https 23542300x8000000000000000192304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.049{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\permissions.sqlite-journalMD5=B29B6FD2B5CFB50398113D64D30DA1A3,SHA256=1A927D7AA07BC29CE80E82AC27536D88CA5D708B61EC06C5A1EDC5D9B6B0CCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:13.491{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B18B6EFADFF14FA45B0D459035A179F,SHA256=E4573B3E5DCC76C0F0B16E61B75F525D3A9D4D3B20AA70379B6AB2ADAE72C698,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000192327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.122{E8723972-5A49-6356-0405-000000008902}5716onedscolprdeus11.eastus.cloudapp.azure.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000192326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.109{E8723972-5A49-6356-0405-000000008902}5716onedscolprdeus11.eastus.cloudapp.azure.com020.42.65.89;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000192325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.698{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B7EF6653D7843F89B1F156579040134C,SHA256=957FF89529B5AA92438898D066678FF1555740FEA6183673037BDA51A566BFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.689{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++www.google.com\ls\usageMD5=9D0AE2C65DC5C2ED567F3650E8CB51ED,SHA256=1B4B1589498A309295FFD238FBBBE60A2108DF3E090D6DDAE94CFAB704C8AAE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.117{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60501-false20.42.65.89-443https 354300x8000000000000000192322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.104{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local56690- 354300x8000000000000000192321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:12.102{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local61887- 354300x8000000000000000192320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.215{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60500-false20.110.81.91-443https 354300x8000000000000000192319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:11.198{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51561- 23542300x8000000000000000192318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.264{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3974FC76A91170612F74B0B227C5F40F,SHA256=BE4362DB24C88601ED6B14164768BA7C0F0D3BDEEF91938042F61620589E51AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:14.578{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021D6CC2B07CA5B4BE1DABF99B2DAF40,SHA256=DC74A3F3D59AEB2599E28246E508F4CC7558F7E48486A5467EB9A667C523DF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:13.108{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52892- 23542300x8000000000000000192328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:14.287{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5245EDF4765CC5C3AB0F8A2BF0E5136A,SHA256=DBA48F988C3851245EC1ED35812E7B9CE5BBFC6D5A2ACAFE8ADC7AEDE0CE5D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:15.673{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EEF22CD0104F3F09316F3008B2E903D,SHA256=7A86937DAE875BA56D8F15C0910F88D3AC1DFFBF79D01F436DEAC275D0F50309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:15.311{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075C07FF64687D549CFD0426282265EC,SHA256=E9AC5372B35C1BBF80E4EBB3024A85CF0069C0D05734DC3CEA9CDF78898921E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:16.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E58925BBAA647F512E3A89327C442F,SHA256=8A3BBA4A4A58896102CBE9ED2A821A11CD6CE7A976A4DCF6B3C601EE5B6522E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:15.015{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60502-false10.0.1.12-8000- 354300x8000000000000000192333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:14.356{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59142- 354300x8000000000000000192332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:14.341{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53869- 23542300x8000000000000000192331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:16.345{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECFCB2546B4FA15DCB0CDC90DEADE00,SHA256=1D9DB6CF38B2FCD5BCEB2E779BB0A1F3BB4094A6B9CD59D6DCCB3DE5A4175A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:12.879{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:17.899{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:17.883{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B4AF7B8DDAA074E04EFD11FDB81F38,SHA256=909D00079CE69335D1EB5642ECEE539F08D1611B8276036E2B00850CAF3312A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:17.353{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFD1CC245EE22827860892EF4C833AB,SHA256=57543EBE9BCDA763DC9AA2F86ACCED8679F211EEC40BBA3B8660293C77A85680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:18.973{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186EE8C8E7C34CFAA314F3F8BB730A16,SHA256=7BA0F07C366CFBF14A1D3B287C464083A2F0D876B4DF1D8A0FFEB6E691352C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:18.379{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED254DB50AA8310BDA5420FD6F48273,SHA256=AA1C58681949C2EEE5542CBBA87B7B2A28DFE739C9061118476DACD7E23AD088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:19.404{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA07629D37091027C2D26D869C268B50,SHA256=4A4F50505317C3F82630E463E5F8B2558B470C9EA4FE443E1BABA1B2FCE755E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:16.576{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000192338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:20.441{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A95D95255514C37270100E70036B23,SHA256=0CD96C571BA5A4431A197651D110A92266DCA8986C7C421CC54898C182AA2BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:20.067{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1A4C66BFCC5EC714B18E381A13F35E,SHA256=7A02426E228A3625B602F1104D782354740FDE0DA32EFC73A45AB2F989D34514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:21.452{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A331CB2A27461699187EB953DC6786,SHA256=3293A3451FBF5A9BDA3689150B4D3C2F701527554A49B921B954A80657898991,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:18.744{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:21.153{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97CFD44EF61A513F858E00C6863873BD,SHA256=9FC45D918815A5C8BADE2B7F7CB10159581E94140C144DEE12F7DDCFE4040588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:22.259{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE74B0696D0B043E09B6627E4CB39F6,SHA256=D7FC20C118A58E79677896ABAA3CD6D66A14F9C67BE60ACD5DC1C8BA3A57C928,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:20.946{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60503-false10.0.1.12-8000- 23542300x8000000000000000192341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:22.481{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2C27FABEEFE526D640DE1708611F72,SHA256=9B02995C7ED20DA1A2F735704977CC8C3D069FFADACE560DE1D0D432455C9261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:22.355{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-341MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.942{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-331MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.621{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.618{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.614{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.609{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.601{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.599{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.594{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.576{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.572{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.567{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.565{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.554{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.544{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.523{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.520{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.503{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.470{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.464{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.458{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.446{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.436{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.426{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.417{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.407{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.398{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.384{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.379{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000099026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.346{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5BDC47E7BB0BF7FF1A51EE993EFEBF,SHA256=A6348BD1ABB92000D8861936DB561124759E4874E8C4AD1F9244C9AD35C586BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:23.605{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0E34D12162020185BEAB17FF72A295,SHA256=6E978731DFF0C5EF965721545CE37482870E68A3DBF14FFBC82CBC68B3997961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:23.357{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-342MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:24.950{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-332MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:24.870{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB8059136937E3392DA47F942D79406,SHA256=BAB244734007ECC710DA636725DAF99955A13DD1C7C36B0FA55A37BA34E7E098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:24.632{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73CD4C5A4FDF6CC11AA33882DE4E3EA,SHA256=FD985088BC1E113E1A70843A3F2BE39159C7012243BEE289BF48D06288E63786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:25.955{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9423F6BEFA7258BF85E87967A7EB931,SHA256=435E01146BB113317B9E2A08939EADE4ACF2993F1C03596443CBB5752676D5C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:25.646{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6714F186DAD64AA3344972F4E44703,SHA256=4FACBB9E7230CE86A530B386186202F1687B9CA32FACE3936419C383DD24EF8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.770{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.769{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.767{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.764{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000192384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.735{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C0C5E0EA0C2B47E8A3748001EB76BA,SHA256=2FC31A7A0A23D5DCA3DE98B3083D6C0D2801EF71B892BA1388A924B61E361D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.710{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.705{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.704{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.703{E8723972-A88A-6356-FE0F-000000008902}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:23.934{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000192375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.403{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.394{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.389{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.384{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.381{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.379{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.377{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.355{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.351{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.338{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.334{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.326{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.318{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.311{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.301{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.295{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.282{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.274{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.233{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.231{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.197{E8723972-A88A-6356-FD0F-000000008902}67767760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.029{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.025{E8723972-A88A-6356-FD0F-000000008902}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.790{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485FFEBA60A67967F4CF4F61D50A74B5,SHA256=A8940D1A977BE0ECB1B618A0E59B6AA7F6AA9D968DA6061DD19A3295502AA790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:27.048{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B877930BB23769BED36C46900D0D7228,SHA256=313EEF4D7FC34FAA834A4CC0267862B3121DD893D573082C4AE671BAC2C63BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.261{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.257{E8723972-A88B-6356-FF0F-000000008902}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.181{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\aborted-session-pingMD5=4DFF9B5C59A83EE9B0BF5D0C07E38660,SHA256=7AFF04725FFBACB4B8E254FD78DDFF9905C1AB3E60CC26B97AB7B7C3A07BEC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:27.139{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD588D0F905DF48ACAA2B00282A3C55A,SHA256=72E5D5810DAE08CD9A6CD1C111B541F4103C5A546B235E3A3D8E2BC988115ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.814{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C678D8DD4C9004F64B31E40FD8DEF,SHA256=E7BF6FD09B2C15A1732D02FD7030E1DC165CBA80F34DC2A1CCF9400A73B77E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:28.136{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E28B19A708CAAE43140A646335DFDDB,SHA256=DB14BEB2FAA872A024F7A06B10F96B8B50760AE4037CF8997301CCD8B24582E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.784{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.783{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.778{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.729{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.729{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.728{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.715{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000192401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:26.031{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60504-false10.0.1.12-8000- 23542300x8000000000000000192400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:28.213{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=43764816D5C880BF6E8EBC62377457AE,SHA256=6CD6AF3F741D82D5570BD108A334CADB04DA41FC0B9987B86F7D88C69D8EB8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:29.225{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259CD133B3CB2E9FAB90D97165368D30,SHA256=02593F10F7DDE0FE4CFABF7D2B23885A181652DA12B907B3621E271AFFBC436E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.838{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0F4698362B26C7BD3D2D415487A08924,SHA256=B0B980AA3E9232AEC43D595405B6AF67EF3D1A7E83FBDA3664F05937ACFCFA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.525{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.523{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.521{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.514{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.513{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.510{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.508{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.505{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.501{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.497{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.496{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.494{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.493{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.489{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.474{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.473{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.473{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.472{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.470{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.469{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.467{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.463{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.460{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.457{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.455{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.444{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.442{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.415{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.411{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.400{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.399{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.398{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.378{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.368{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.333{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.327{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.316{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.310{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.309{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.305{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.302{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.298{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.297{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.294{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.293{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:29.290{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:30.309{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D41C51DE4098140FA81588C1B4AF12,SHA256=4908D141283F04A979A4A48E5F1A7FBA23E7A86FDA71A14939CC0091181446F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.783{E8723972-A88E-6356-0010-000000008902}69647876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.741{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.604{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.600{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.601{E8723972-A88E-6356-0010-000000008902}6964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:30.364{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2A6EE26FEC5910E4C8ACBDBF94BEE1,SHA256=52E2A070C9E3C88E4F365FDCC61BB56861B8652FF387C556FACE696AA26B4BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:31.392{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D9A164A9EB6D335B460B0A50D2BC03,SHA256=350AB5295017BD693592A8AD6633D6FA71A56D7ECE7BFB1E7C29924219BC2C2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.932{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.929{E8723972-A88F-6356-0210-000000008902}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000192489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.896{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.896{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.896{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.888{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.452{E8723972-A88F-6356-0110-000000008902}73769188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.383{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC376EA368623606B66F48E9C4AC3C9E,SHA256=935447C37273BF0AB492B696AB40936B8616E98EDF5BA2849D73BC9E0ABBDB26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.275{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.271{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.272{E8723972-A88F-6356-0110-000000008902}7376C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.962{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DACCC2C16AD642E2416BDD4C05E8E1C5,SHA256=ED06D5A5D8E44A3F606C316938976FF1D41C9670FD0ED9819D89BA0A554ACC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.686{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.682{E8723972-A890-6356-0310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.624{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691B4A1F0DBF43C75FFE7EBB0C378D55,SHA256=CA5CCC8FE4F3BF8C759DA4D397552251AD464177F453001C40D934ED8729A671,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:29.704{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:32.687{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F31FA1444086ED2DEBD7D160E1A8132B,SHA256=F954934F204AD7DDC4A82ABEE62F988A34698380CBC8A6D9FA9628BE5D454C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:32.484{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C92A9F71B5AA3F89C0D5EF7FD41C319,SHA256=03499996CC8111390475BA01A205E9CDBE0FFD9FBCDCC3BCEEE9FFA788F66772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:32.121{E8723972-A88F-6356-0210-000000008902}58324788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:33.652{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0DD2C039C3B0E9E2A06817C0288FFB,SHA256=7F50DA1A84E4B029781E6CAAB3EA29A2BE9C2C9A981519B278043C564B03F705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:33.567{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D88CA700427F90CED569C13C5858234,SHA256=4AC8AF47F0B2212158A7E9403DFE04D5EB7D4AA4C4CFB72FFB26D6A0BD4FC78E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:34.682{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F472072EB836EA3FA2DEBF195C1E7DFB,SHA256=457ECAD2E30BFAE5316C602E863BDDBF4D2C14C8806D2FC0A08984E7590A9786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:34.691{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B050C5DD6C15AC194B903F9DFD5A94D8,SHA256=8E90803E6E7D7673E2B34BCEAE76F332CCCFC8BF10B802837E708A1A4723C28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:33.160{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54866- 354300x8000000000000000192512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:33.145{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51078- 354300x8000000000000000192511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:31.928{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60505-false10.0.1.12-8000- 23542300x8000000000000000192510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:34.117{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=CC33E5F71499F251547FC481E7BC75C7,SHA256=5A79343B1BA9F0D68E5A175976E0D9607D3BBF70054711551C02958C92D6018E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:35.793{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54F22276FDB9181F992F78926B0C3FA,SHA256=9055D83D410EAA7812CF6DF06AC21B74B522FF096AF17A7B654336B1A62F20A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.869{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CDC0A0EC89033F0887EF46F5617AC4B1,SHA256=333E92C6F61B323F35B0E5CC5C57585BEB8F593C8B3EAA1B66EE2793A172F8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.816{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAA1F5FE4461EDB55F295D7AAE43704,SHA256=F8914B1531BA9842CEBA389CC1879481A408995DB259E3701236189178AF1C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:36.872{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300BB66BF5FE4CEAC1946871CB899645,SHA256=E80C1C3D6454EC0FD196F96D8F50AC712C99B0C79388B155FF9A3E39073A5B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:36.847{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4193CF72ED95803795FF37F02F91E811,SHA256=4037C78EE084A1333C4ED74E3336B2FF61E9F87EAFB9DFEC0AD67DA3E778BBE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:36.100{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:36.100{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:37.957{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27571BFFEED6DC3E03F004FA0D5A2B2,SHA256=07D688DC52667E70A2C097C563F782C76F6908D6DE212B3BCBE53C1B6D55CEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:37.961{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87FDE481A41DB25AA5801D990E8DE3E,SHA256=9DC7AEA754C5CA2A56812FAF5278AAF4B8CB64BE8ADB4BE495717D5AA3C81177,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:34.908{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000192521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.989{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60506-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000192520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:35.989{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60506-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 23542300x8000000000000000192524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:38.971{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE2B2790BC56A81BC7EFF02197016F0,SHA256=563AE578DC2D9B79C393F7506B78CB2E07B93E7662C64F1F6C5E208C71B530BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:37.055{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60507-false10.0.1.12-8000- 23542300x800000000000000099075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:39.047{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8588FE6F5C0314CA19F75A8B8FFF2F,SHA256=6033423AE004F76B66C75CD658D3EB27A975242758AA327876382CEB5D58F623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:40.133{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B774E6326C9D174E273986C1018125,SHA256=8E65A62E2DEF5539790A4576ADF4E4899B93C009C0E2203C5C6B2D50E42A1415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:40.000{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2420BFD822A1D9A5DC0B81E525153F21,SHA256=338E33E236A3418F7390A4CAADDC81FE63C340033AE2F50C15FF4B29DA4A89F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:41.150{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113C39377E96C6009C3C11E081CD5129,SHA256=58D335EADDC180D8DB31FC76C1B27B539BED9C8050CCD39EB3A4315DDC76323E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:41.218{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FD764CDF4F4F1DEF7058465FD4E4C5,SHA256=E34517270AFCC7275E0662103FB3BBFB37AA3D54034F5C6C8BED027ADDE91459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:41.117{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150034MD5=92F2833C130F4B5C2AF42F35FB6DA7A9,SHA256=3C62AB39ECC95E7E0D834F9D468AB7836C508BFED4EFEB0B44B3A90385F2E430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:42.304{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085CC151B3CB36B536C2FF16ED6146A6,SHA256=432FACB7D0E4A520ADD0737EDA7535AC87C86A4C77261EC554FDCD6AFE7384AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:42.954{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A8BCEBA01E139A9EA7E35D340AD51E12,SHA256=EA571C06EEEBA581AA8B918A0A877C6E28C3E9B9AB50925FF47AB61FF56FC997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:42.217{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DBEB4B82DEDC808F494B71CDC50544,SHA256=15B0CF0A8621E1F5418B43921413DD5B5E0400C214C31A24979B896507266932,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:40.755{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53698-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.569{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.567{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.558{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.555{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.554{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.549{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.548{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.544{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.543{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.537{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.535{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.532{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.530{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.517{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.507{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.487{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.485{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.476{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.441{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.431{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.424{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.415{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.406{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.400{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 23542300x800000000000000099084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.390{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F203995E18D0C709D37ED47D12AE78C0,SHA256=FA63271A74F6FED5C6D56BF6EB2DEB4E819C083B203D59DAFE9D5A8719EFDEA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.387{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.379{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.371{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.360{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x800000000000000099079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:43.357{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 23542300x8000000000000000192533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.904{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150034MD5=595735E7A32CB5D017FECB8F97CC3D29,SHA256=9B0D3F72F1C59776F01C2511C645A0DA1B098FC0E9CE863AEB03FCFD678C2354,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000192532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.904{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000192531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.904{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=F4B60F8A782F6CB108FF4B6E1FCE2DBE,SHA256=7010E45D17D07C14C700117F13A93C41F272E10287141E87F4357A189FF0F894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:43.318{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47AC1AA25D3B1290D9925F3003963DA,SHA256=E0474A180CB1481C261648B7266E7338CF6004E7B57DEA0BA0F29AC86F4FA242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:42.991{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60508-false10.0.1.12-8000- 23542300x8000000000000000192534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:44.453{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFDFB47243BCBA1830A2892C479C7AB,SHA256=F3B32818BC94AD019659B4B86675A5774F674D882014F6C2BAC16CB4B20A7131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:44.518{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5616DD449FB19E9194A4568531A45F35,SHA256=7270BD73F95C5BDCB69090DB99268535A468185285B854F579FAF335A5597E57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.988{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:45.535{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8898DD5708C5ED07AEC077B51924EB3E,SHA256=66C1E14E46CE36046E76CEC08090DBC8C10CA6A08E6FE8A388F9CB1CDC581BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:45.579{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51DF1B16331A9D3019EF8994C7DDB53,SHA256=A0E02470AEB42D2B62DA80653DD969CF8E9F3D5BE33BA1253369AACF01DC4306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.861{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2025831842BF930D464DCC0299415E6,SHA256=D5E6D2B8E40888DE2546BD168791951FB91E84BD14A864761314913E21C2F892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.756{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.754{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.753{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.750{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:46.655{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD5969F81C922B058C9E89F0380EB87,SHA256=9F50B563C4C805144F2EB597C197D7A08577D56305ABBDCE85F51C586C2B1E50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.398{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.387{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.383{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.377{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.374{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.373{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.371{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.347{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.341{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.330{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.325{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.319{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.310{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.303{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.293{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.285{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.276{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.270{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.237{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.234{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000192544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.204{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.907{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9D0D7B2B74A98961A209D8F02FA908,SHA256=3CB0CD620AE35B94412A09AC73C21CE8BDFF7A02098D7A3D1598A5CB58CE3DD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.877{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.877{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.877{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.876{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.876{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.876{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x800000000000000099113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:47.755{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0436B12C18AC9CB2C75F8D79FC74492,SHA256=9EB3499D356CD6DC854E1E258A65B1435A145C7279BF61E109F3CE63B5ED1AC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:46.092{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60509-false10.0.1.12-8089- 10341000x8000000000000000192602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.089{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.066{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.021{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.021{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.021{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-A4E8-6356-590F-000000008902}101129244C:\Windows\system32\cmd.exe{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.018{E8723972-A89F-6356-0410-000000008902}6052C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000192570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:47.005{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:45.792{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:48.837{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441AA8271B163B5213478882FFC3C45A,SHA256=A2E564A9A5732FCF32506A294484BEE8FF8D8CE3D4355C9E227854176C51FBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.926{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CE2D098AA65BDC979C54963A9097F,SHA256=3813ADCAEA2B5B977A3635499D1DD8E945618278935F6AD683EC003FB07F68E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.798{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.796{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.790{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000192611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A88CD1B2530CBC81FE684FD9D6329AFD,SHA256=422ECEF3715AE13D0DACA4EF19366921884C45C789C8DCA398631EAC0F9862BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:49.921{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCBD05FD38A3EFC140CAC4A7C458FAC,SHA256=30F9FF7E1869ADC481C8BCFB3CEB8FF6794C9E7B6307BE05E816DC6BEADAD586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.984{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693F9C80F2F6336200159B9759DCE53F,SHA256=F2B64E7CD42A2BA7BF0038ACB41B91EEB68D32E64B0CC18E7A0EC62644BB771C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.768{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB9B607EBC84CDB5E15C126FD42799A,SHA256=E1A0D2134CE10374EF4A3082A53A566C6879DE5B5AAD5B2C0FD1AB5291C497F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.653{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.652{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.652{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.646{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.645{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.645{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.645{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.558{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.551{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.549{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.542{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.539{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.536{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.532{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.527{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.522{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.519{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.518{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.517{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.515{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.512{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.491{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.490{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.489{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.488{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.487{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.486{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.484{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.480{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.477{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.475{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.472{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.464{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.462{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.432{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.424{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.408{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.407{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.407{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.393{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.383{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.343{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.337{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.328{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.323{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.322{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.319{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.317{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.314{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.313{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.310{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.309{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000192616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:49.307{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000192678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:48.978{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60510-false10.0.1.12-8000- 10341000x8000000000000000192677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:50.608{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:51.009{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A3B092559463B101652690DF80D600B,SHA256=B5903E240EA5D9C856F2D1C32E9B3F4C97D94438A298C8A18DADCD92B9A757CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:51.088{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0483654A5FD334DAB2E956D4C223856A,SHA256=0EE9AC5B9EC2616F55C362EEE715934C8189AB096FDB5AA115B20B03DD79E9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:52.090{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8F88474F5E70BAF1D2C56B7A8778C1,SHA256=71845F1E1E19E423CCC6D62BE023AEE13C0963CD8DF018E9BE08953100CCF2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:52.127{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34440D90BEB2AB7D120DE524F7EA1BC,SHA256=D6F22BF4023995ABA63516F5F2B7E7E9D4293612C84512974CDA536479830E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:53.187{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EE47468394F2832D22429C0E25FF54,SHA256=F5D888BE367F285259620F197F9C6ED23FA407006702B0F13D5CBA8CFF46EDD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.975{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:53.144{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231BDFF802CC198450420667064C24AF,SHA256=F7FFABB5164DCA3F6D770815EB3CAE18252B0C47747AB4A0843FAF6168314744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:54.274{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735FB468415CC1A3F6998909937940F4,SHA256=0928A0E248E96F84E08FA99AF3A7986548171665FFE38B0354D4C294B4F3370D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:54.264{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8BB1CF79ED7C30742B7083552B4269,SHA256=0741A5F15C4537D36827F3E4451E7A43E69B88501773D6B6846E51DC9958AD50,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:50.910{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:55.359{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34DE6CDADFF62F5272CEDE83AE737366,SHA256=5A2D6668FD51795667157F752134D951B7A0962C8B042CC4A7B0E6503A47A71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:55.414{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C42E3F832114F184321597DDDC8E062,SHA256=A1164D29DAAB6CD0F39C58736A4B01942E87609F451FCBAA220F05BCF11600E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:56.444{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A671005D97E935B271E80A3A3A3ADE2,SHA256=31AFA6157D8462F408EC8DA57DEE1F42BBD2757BBDFBF9A3668FF0A43076761F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:56.546{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849136A19893F14DFF1F312FC4980376,SHA256=A2A3D0135D26229CFA9C29FCC318B35E54EBA5C356651F7C2137243D1519418B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:54.964{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60511-false10.0.1.12-8000- 23542300x8000000000000000192691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.651{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CDB77C8CF9ABEF50AFB6BCB6793651,SHA256=42429C962529121BC6D0926BCD38EAB888DE8D5C3F712898F390F9BF4EE8F26F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.922{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.923{3A30D728-A8A9-6356-410A-000000008A02}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:57.642{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326DD304C11521DCE530CD3665FBF68,SHA256=34B2FBA5547D260E5186FEF3199C314260E5EBC287CC75BF1F153602CFA8D465,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.394{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.667{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F31AB48B92419135ECD60855A4E3074,SHA256=381767DB3F48B3CA0A9D7F10AF7374054032D79C50EF2898DF10FE190629E3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.741{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDB404052B265B84B830D55428E814D,SHA256=6174A43705E4B105A55E49E6BF3593B619AF169C81E60EA4D938578C767E8EBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.470{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.470{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.470{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:58.448{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.584{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=08B44853B928CD1E43B10DAD73BEC595,SHA256=E3745E314B98D9011FC897A97C54F27ABEAADCF4A6CBD440E6E85FF6C93DF54F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.428{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.429{3A30D728-A8AA-6356-420A-000000008A02}1392C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:58.259{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=04F2AC2EFB95A9883A23A2732A1D33ED,SHA256=9A74457573E831881F88A12E1C1B3E11A599D68238E9DA33D042302D9E3D795D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.832{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7694A6EC5E43303FC963DF05F85D1A,SHA256=B2F41B523E6C8402711B739F952772EB75FBADA5F30A217D87ED7DF0FD38D2E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.857{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60512-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:57.857{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60512-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000192703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:59.930{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=050DDC6211AF10B2CD938FA6ADB5DD90,SHA256=D2AD5B04B649E8AD83B37569933EF17737ACD9EFC60EE5C27DAB16C8BEE86431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:59.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF721BFAA9A515502647B0BCF314AA1,SHA256=9AE98D2F454E227DFDF5CFBEDE3303584DAD1B09E4EE4CF0DE84A2A156AF8F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:00:59.036{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F23D9AC8B4A32197F3C180779C0EA2F1,SHA256=E54CE67724761AC5742B59A9D1095EAF6F8A81F4DD7CC711616270CC90F65F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.302{3A30D728-A8AB-6356-430A-000000008A02}32643544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:56.757{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl54990-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 10341000x800000000000000099167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.100{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.101{3A30D728-A8AB-6356-430A-000000008A02}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:59.038{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65C1FB5C4D2C797D460D81F1C9D0E2EA,SHA256=CFB32F0D7BF0E64510ECF465F16C57AC40B7A9625AFA8FDDEA04D4F063EEBD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.924{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA9046A355B537B3CBC86C0ECAB60AB,SHA256=ACEBF124D38749C10C4EFD12D7CE6787E215BCE6CE8493640B4EE887AE03C684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:00.865{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19B940EE58D4942421A1A032F7F5EA0,SHA256=13685BA4C280F7795EA3BDA0577801D0F0BC817614BC728F4F85F2B51FF1B096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.454{3A30D728-A8AC-6356-440A-000000008A02}28884016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:00:56.913{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.249{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.249{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.248{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.113{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:00.114{3A30D728-A8AC-6356-440A-000000008A02}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.934{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.935{3A30D728-A8AD-6356-460A-000000008A02}1784C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:01.965{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C544381EBB7931962CFA361703DB1F,SHA256=5B3131EB035A0C3559870467CD447F839A094F2323EE2011895CB71DB558D036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.512{3A30D728-A8AD-6356-450A-000000008A02}26442700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.363{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.363{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.363{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.362{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.362{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.362{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:01.265{3A30D728-A8AD-6356-450A-000000008A02}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.864{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D42B3AA3E92B11A7C748697A65A658C,SHA256=7735A859714DD7C084390D69084A7D21BDF6C905683FEC6C81108DF946D80AE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.168{3A30D728-A8AD-6356-460A-000000008A02}1784940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.012{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB21BB357C6623D98136376E781F127,SHA256=819534062D9AC4DB0E7330F2DC016F7C37EB970D9A9E975BB6A967AC0B917291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:02.132{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=4AC7966D70AC2E906A01EB6D6926CE52,SHA256=93FA5C4B234401A0C2ABF219A9C7CA1C67F3475495992E5861BFB5050E1635D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.725{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.721{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.718{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.714{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.711{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.706{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.705{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.701{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.700{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.695{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.692{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.687{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.685{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.671{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.655{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.630{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.625{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.608{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.530{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.518{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.500{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.478{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.451{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.424{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.399{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.394{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.386{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.380{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000099230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.377{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x800000000000000099229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:03.004{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF520AFA4FE2F47D7525CDC32DD5D28D,SHA256=C2A7577C8D0F2A45C2ADF6FEC3DAACCB715AA2B4A81AA780E21688A39ABC60CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:00.982{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60513-false10.0.1.12-8000- 10341000x8000000000000000192753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.670{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.670{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.647{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.647{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.631{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.615{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.615{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.600{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.600{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.593{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.547{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.547{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000192733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.531{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5646-6356-0D00-000000008902}9126752C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.515{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:03.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C48B2540EDFA2FBBA1AD74ED9F4B68,SHA256=4A426C5B0F51570BB5BCB561FD770E7D64E751EE7F3DCA2E84F4FADE0B871CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:04.271{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6923E3FF0105E48362905E90425EE0A6,SHA256=C6176C8577D0FE5FB0BA1ABB18555573C47AD8D32CEE8551E3CB7221F618EFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.679{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE0DFD991C0A0D5851E88C06E8F39B70,SHA256=3837CC6E09CC1F7EC3283395D2C2F95A162FF96D461BFC2D1F5BC858662235D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.267{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.267{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.267{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.266{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.266{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.266{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.240{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.240{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.238{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.236{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.236{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.236{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0510-000000008902}6992C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000192771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.191{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F75D90B706E0F7CE7D81C7285EA215,SHA256=6C87BF602CD9A2ABAD35B27AC185FD8DFE91913FBD971E2D8798F1C2BC8BCEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.189{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5162E47D4F2DFE53746174E8D39CCFF,SHA256=26CAB2158D018114ADED3DA0C3E0B2A616BB0435998E87B132376FB040C78563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.177{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.177{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.174{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.174{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.173{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.172{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.172{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.171{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.169{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.169{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.168{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:04.146{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.927{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.927{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.926{3A30D728-58B9-6356-0B00-000000008A02}6241360C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:02.715{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.432{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14330F020ECD35192C2990D9D9D2F00F,SHA256=289B49B6A422EAF0D426301A2EA96CD470D056850575AD55175A0745A91545DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.369{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23209E7310CB9CB5E9F5014048343A2,SHA256=700E32F1EFCE9586750892937F9916128C4C1E73299642543CFC1BD15340BA54,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000192795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000192794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014207a2) 13241300x8000000000000000192793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0x0ee84bdd) 13241300x8000000000000000192792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7b9-0x70acb3dd) 13241300x8000000000000000192791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c1-0xd2711bdd) 13241300x8000000000000000192790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000192789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014207a2) 13241300x8000000000000000192788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0x0ee84bdd) 13241300x8000000000000000192787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7b9-0x70acb3dd) 13241300x8000000000000000192786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:05.946{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c1-0xd2711bdd) 23542300x8000000000000000192785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:05.363{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E004A038667B359609F7786EF80F6D,SHA256=0E4BA3CCDA3CA14BD8A883D0FCD927ED5ADF2270053CD9559CC7F4BC301E88F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.014{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.009{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.008{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.007{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:05.007{3A30D728-A8B1-6356-470A-000000008A02}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:06.447{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CABBCD63ACB251EAA61C681B4CAA849C,SHA256=2CE7B9F7D13D847220EA7F2DECD632E22AAF1A8F90DBCCAD4880530F5FCDED1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.842{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.838{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.836{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.828{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000192816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.443{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A1084F5FA12C910DF90382F1FE2897,SHA256=7E8C1E70107EB4DDDC44880563DDA8D23678EC97BF6FFAD80265E4D931392422,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.415{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.404{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.396{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.388{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.384{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.382{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.379{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.353{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.346{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.332{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.324{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.316{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.308{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.298{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.287{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.280{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.271{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.263{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.224{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.220{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x800000000000000099282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:07.794{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDD6567AB4757DBDF717265990A2BD4A,SHA256=70110DEAC58702210AAE78333A9C38063D8CDBD26754A38574C7A453508F9A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:07.529{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3547493197D84A4C9220E342E0EF587E,SHA256=2C12E61913A7D8B9FE44751C27F0BAF3DD1CAC99AF4D0150042461342744360A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:06.066{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60514-false10.0.1.12-8000- 23542300x8000000000000000192821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:07.494{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CD60B47186DAC2C8A3F50609D1A4E9,SHA256=DCAA6BC73468062BD58540E63FEEC5D9784A2EF44C9FA4FF2F77AA18EEDA7E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:08.605{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0299503F7B686DEA155CACFDF68E5C1,SHA256=0CC8F0E71358120BE0BEF70F39EA17AC20EF573360D247A5C0346B52F204F71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.874{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.873{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.864{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000192823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:08.594{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92210FEF63FAFB69A7DFDF227FD40940,SHA256=CB7D8A041AB23F3347EC11E3CBC1238F95891DB19BA5AF25B0A5793AF0CE0711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:09.712{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC29D9556B833580779E74F694B7009F,SHA256=343C439BE7AC5C21B0BDF9EC5CB62CA40F669C9BF06AED60CB931637451F5265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.719{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98AAA37B546A970A8BF840C86FC2A729,SHA256=050E669E49B127E5FFFC5327E95B3DAD8269EAFD1057C209F5C22761F4F67DBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.647{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.645{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.642{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.641{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.632{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.630{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.628{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.624{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.621{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.621{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.621{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.619{E8723972-5902-6356-8A01-000000008902}434810208C:\Windows\system32\sihost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.617{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.614{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.613{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.612{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.610{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.606{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.591{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.590{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.589{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.588{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.586{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.585{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.583{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.578{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.576{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.573{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.570{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.556{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.556{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.520{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.516{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.505{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.504{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.504{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.490{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.482{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.467{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.467{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.467{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.440{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.432{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.421{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.416{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.415{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.412{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.410{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.407{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.406{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.401{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.399{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.395{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000192834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.232{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.232{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.232{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.132{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150102MD5=F6338A628017A364CB06C0445CEB23D3,SHA256=D594D22972B0287706D565159429BB5D91F17A5FCAC5234FF2139032F0C8D093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:09.048{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x800000000000000099285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:10.790{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6C65BAC68B5CB1B3322D88C930716C,SHA256=AD75DE23793E0E0E151A0F2C299CEA23AE3FCC29ADD5004F5E0847372199EF37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:10.683{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DEF9BFAA973110E6758906AA25D791F,SHA256=BAF00EA4365F2CB36073808224CF300AB737C8B51237272D2A66B78BA39D7DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:11.880{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5593CD1684E66AEE983E012B208F79,SHA256=1D24C5AB59BEDB58D945E6EB6AC30708BBA054C68B5DE6120C4E38F5F7E68CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:11.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85541571127A99839C3CF9B15405ED2,SHA256=B471C7B6A3CBA118539FAC611588B407FEAAEF566FEB10A61F835B6F5AC10BC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:07.918{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53703-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:12.974{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101B87DB681335C9038D97D82CB960C6,SHA256=1DE9559C12A575F71B3AE597E65863F11F69B304CA4EE10AE38A170CAF46024D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:12.882{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B95ECFA94D82E5CBB54E79A0F9D575,SHA256=B180EE94C723A7C205E11BABB4AE8D92BE7932414403BFC07289294F25DB6836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:13.998{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9A4BC2965C1C2E63B304BBBAE2C656,SHA256=D8990E88E5BFF81E6CCE630A9B4A5A8804E087C996D263A30A819562DF4E7BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:12.009{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60515-false10.0.1.12-8000- 23542300x800000000000000099289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:14.064{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A36E5AE755D7096882E3ED540A8E869,SHA256=7C816DEAA50A0C90E0B16125BE14014771A5DB3A6D523F551129A78DECC4ABBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.236{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.236{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.236{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.221{E8723972-58FF-6356-7F01-000000008902}6488004C:\Windows\system32\csrss.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.205{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.198{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.198{E8723972-5904-6356-9601-000000008902}52561136C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49286420C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000192917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000192916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.177{E8723972-5902-6356-8901-000000008902}49288800C:\Windows\System32\RuntimeBroker.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+622eb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aea5a|C:\Windows\System32\combase.dll+a582d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65443|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000192915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.175{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.175{E8723972-5904-6356-9601-000000008902}525610068C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.174{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.174{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.168{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.168{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5645-6356-0C00-000000008902}8566664C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.151{E8723972-5904-6356-9601-000000008902}52567908C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:15.120{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C341CEA85DB6DFAB26DB2899FF90932,SHA256=A1F14561FF63FBA12B658DDAB2CA33A4E5B5845F814F5972549E6B80FFEDE081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:15.150{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=320021876AC0B10638A9052DBFEE32CF,SHA256=B201F41F02FDC0EA78920C51A795D6D7F5C6D63D2D68FE4AEF5091A413A62B2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.420{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5642-6356-0100-000000008902}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000192940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.324{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F86A8F9160371C36CAF394F79331E609,SHA256=E75DC4F8EFC9EF0362FE0D6F65E3A7AFFD33B6088B79B10738A9A569514E8A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.322{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EB450E2A54C6AE0554C6C573B52002F,SHA256=2C1CD1B3617276C9D3335CEB66697F57D92EC845C06194B5E9C84FBF265498BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.320{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.311{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.304{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000192931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.303{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8BB-6356-0710-000000008902}9824C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000192930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.136{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150102MD5=E7111EC9F46C99DC54F6D96D975D62B1,SHA256=E2DC195CB41BD1E55D66C284B812E2265F3A3AC6934358DFFBC18FE8FBB1EA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:16.240{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=545CE518925AEA903A06136C7DE675C8,SHA256=520AF970E4520898259702F958E2580C732B72C81A50C1369B364A373CA0E237,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:12.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:17.924{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:17.332{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0C399022CAD62658CE501E7DD716EA,SHA256=21315DE5A1A26B0D0E0E07FFF574BEF6F6D49D55B12336491C25FF12E4B033CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.736{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_150102MD5=91ADAD51A0A31DD71ABFAA8F021039B0,SHA256=D74765CD62FF04008B16EC368417923E6E639D8CC03FF4EDD3BDC32C1AD6C890,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000192965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.736{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000192964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.736{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=17C133232CFFD19DD0471A4499D0ECD1,SHA256=DB3A3F0C736A9BBD4B55BCF6C4F946EA079201A90539B9BC203713C0C5AD7C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.635{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.635{E8723972-5904-6356-9601-000000008902}52565996C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+5e556|C:\Windows\System32\combase.dll+5dd0a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000192961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.635{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52567360C:\Windows\Explorer.EXE{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}525610048C:\Windows\Explorer.EXE{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.620{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000192948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.313{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60518-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.313{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60518-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000192946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.209{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60517-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.209{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60517-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.201{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60516-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000192943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:16.201{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60516-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000192942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:17.236{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1C5F36D4173A530D25C0EF8A1F328DC,SHA256=77AAA1B94B8F10FBDA8DDDCC41CF0F6562A157D61EC42DBBBD9663A4BD684A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:18.419{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F594D097E27B3E74FF80431614CF50C8,SHA256=416C7C08EDA1941978E0A2C9F482AAB0C3E6E2ADAC119E654CB88B7DBCEF52A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:18.330{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D9889CB1DD6FCB38127BBFEDA2E9708,SHA256=EA211920706644BA88BDC4D8FFED64D4A6E22FDEA050EF3688B7443396343E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:19.505{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E186F45A9251BE51369DEABA5DB1F1,SHA256=E1A8919DD0F2CEA8F7DA4D6B8C386A32C83F35C8F1F215E4403FEF72BB481059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:19.385{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C36246E1C837E94D4D02920C338BD4,SHA256=371BCBDFAD7C633968F492D457E611C5830A8D3252C4523EC7E5B145BDE3A2D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:19.385{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F369B099AAAD3EC9F3EF16977AD8DF5A,SHA256=E01C5D13B1E56729335AEA3A6FFE1C00B87E467EA9E25CCFD4BCE85F89B34B0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:16.601{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000099298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:20.594{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B538C63EBDA9941475BDC9B2792AA6,SHA256=C32749D044B97A3DD9F30B10264EC9C26D9E96742EFBDC4F042CCAC20AB08F81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.684{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000192971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:20.500{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D604659B33674712099179A9E856EE,SHA256=A6137C0B48DC4929810AF31810980061B4EAA05D93F0B35E9831CC597CA3A772,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:18.009{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60519-false10.0.1.12-8000- 23542300x800000000000000099300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:21.710{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DE859B669C10FB0CF2356690ECEB9,SHA256=018D9C841771F3BF793F549A75DCB4369264829ECF6CB047F9D86EAF793C2FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:21.637{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A95B98456319314A855E53BCFA4D563C,SHA256=1CD77704AA8A9441F52756D0D54A39853E3D0D46156EA0887D639FF9BA098480,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:18.698{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:22.794{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=713B6FD9C17E917853817CF4BD5D3D6C,SHA256=CC559C41C6ECA6708D0DFEABA5AA9FDA0F129125C4E7F51CF1195720E5881A58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.898{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.898{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.898{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000192977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:22.753{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A677CF467F05E084EDD2D2F67C51835C,SHA256=D0FE59CFC7C762BE99466FB11081918A5BB3F6D3194BC8DEC9AC0ECA5E0DA8B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.893{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-342MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.853{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F010DB7733E833064ABF6A6119E16D4,SHA256=E2D2EBB0F68A8896074659A030233D6D4220BDDB80BF89733E20CE8DF0566FD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.623{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.620{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.612{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.611{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.605{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.603{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.600{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.598{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.594{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.586{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.583{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.573{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.557{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.524{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.520{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.507{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.475{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.464{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.446{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.423{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.416{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.409{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.399{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.385{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.377{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.368{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.365{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x8000000000000000192987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.599{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=967AAFE092C298297809D1B2AE92282B,SHA256=91E8C2902E2454ADBC712A0988E24B89E58497D64CD9F968B154650712ECCE89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000192981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.053{E8723972-5902-6356-8A01-000000008902}43488208C:\Windows\system32\sihost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:24.983{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB063855EE10286A7E98AAE401D73C5,SHA256=F253DE3BB9A85E22794C622799100D365484935F64F3D075408ADA66DCE99FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:24.884{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-343MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:24.138{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29304FA335316D81589C556B5B81188,SHA256=D6299898062CE4CD4683726B950AEFD33D618B4F1270D66F0FF9851D16011AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:24.706{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF14250e0.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:25.970{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F53F3C266B2FD6D95866EE01F5B084,SHA256=6326A38EB864DF16AC02214CA0E0C7B0107A8BC3C26C4D5CA9703631E7C0EFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:25.466{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-332MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:25.229{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DEB64DC2AE53E6637881BE70F1CCA1,SHA256=9BA6650761850540392F417F3A67EC45FD9E3BDE0021B556E1E8BB1295F9F515,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:23.110{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60520-false10.0.1.12-8000- 23542300x800000000000000099335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:26.465{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-333MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:26.311{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175C7D9738B942E10B97069C6A9FAF1D,SHA256=BBF4E7DD6B91F0A9CCFDE18ABCB10FD5A12482334503EC0CA6E698C96AD82B0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.930{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.928{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.927{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.924{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.897{E8723972-A8C6-6356-0910-000000008902}83203812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.709{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.706{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.705{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.704{E8723972-A8C6-6356-0910-000000008902}8320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.497{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.487{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.483{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.476{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.472{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.466{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.464{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.432{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.422{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.409{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.404{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.398{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.389{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.376{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.363{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.355{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.347{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.331{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.257{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.254{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.036{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:26.037{E8723972-A8C6-6356-0810-000000008902}9924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:23.909{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:27.395{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0DD85B1ECD1A7E2F84148819F6E388,SHA256=8432057DB9E6D8BD1424E225B8087113F84CE232F3E82C889524830E3EBEBBA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.508{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.507{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.507{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.355{E8723972-A8C7-6356-0A10-000000008902}6904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8F70E8A78B9395F1E4EF7AC7E07C92,SHA256=0965CB00D3A598E381E734E2141B7FF9E063FEA41BD3F077AFAABFFC7E439357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.352{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CAC21265AD837D3973C976DAABA3024,SHA256=FC0C5B0E3AA7F4D43E0B7C1CD0AF5EDF341C06DF8E5C788B47A22311E691DB0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.105{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000193037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.105{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:27.105{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1425a47.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:28.480{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94737042609983EB8B16230F4786DD88,SHA256=7E0FD4D885F077609D5EB1DBC3FB43B2FD51B262783572AC04D71C1F4D8FE48E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.961{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.960{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.955{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.714{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.222{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8C185E9842D7F8E53AC2C2F2155978E0,SHA256=2EC9152CBC5CC9F13E23CCBD65BEEC9941ED72B56CDFEF693DF5B9294698ECFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:28.153{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE8B50B654A41BCE338C3777A27D908,SHA256=048C88B4800D08F2CA533EB4C4A09E7B64B8F639CC5DC4DF5A954F5A80777767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:29.571{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721A2D948D1E0119F4A196D09FF4936B,SHA256=EC1CABD7F3C3184E72AC557FBE95AAD93B6D5A2E44825B2CA80DFC23F3644ACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.724{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.712{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.709{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.706{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.705{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.697{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.692{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.688{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.684{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.679{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.670{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.666{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.665{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.664{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.662{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.659{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.644{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.643{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.642{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.641{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.640{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.638{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.636{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.633{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.630{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.627{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.625{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.616{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.613{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.583{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.578{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.566{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.565{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.565{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.551{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.543{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.506{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.498{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.488{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.483{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.482{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.479{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.476{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.473{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.472{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.468{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.467{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.465{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000193061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.224{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27DCD5AD01C192FC8EB5C983B3E4D113,SHA256=B82A2E1E04B90A05B0C9E6BA4F8C2F03D3B4C58C85680AA859A39A9AC4092CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:30.661{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3D30780205CA56DD4318DE60071019,SHA256=0676A2BFFCEDE24CF0E0594262879CB2CF7012E2A826F65511557BA7B1E99DEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.686{E8723972-A8CA-6356-0B10-000000008902}97088564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.529{E8723972-A8CA-6356-0B10-000000008902}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.525{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A2BAB129E25B6868F5F02DDC1B6B60,SHA256=E974AC2B7EEB08EF8DB14E2B7DC8FCACA8E1CB858C87F6C01A029BCCCE0B4B25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:29.011{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60521-false10.0.1.12-8000- 23542300x8000000000000000193110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:30.139{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AEE4E8064DAA97B1F5C7D6373C04D585,SHA256=D72612456C96096693C804F62C142D423C5933E08FE9DC01461ED4DD9D6ABB63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:31.742{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1DC9FD037D2835C29735B960693BF23,SHA256=B9D64BB8AEE6FCAD09759D98C35F78BF160C347AEE050781632F0B98F241067D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.877{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.875{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.875{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.874{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.872{E8723972-A8CB-6356-0D10-000000008902}10036C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.510{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9275E7DEF4327AAB47876893BFEEDAD0,SHA256=3ABA28C97EF799553786AAB473E0F5D2BC6F804FE41B32D71CF42C6C4603B276,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.355{E8723972-A8CB-6356-0C10-000000008902}1022410096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.201{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:31.202{E8723972-A8CB-6356-0C10-000000008902}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:32.829{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D5CEE5987DCE7CC9BE3270A7682295,SHA256=525B6BC28688E72552B1CF5BBC93510C1C106E4177E491699BBD0E64B7CA4F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.987{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A24DB5678A5BD0E033D1808F3CD869D,SHA256=B2A6C40EF6D8E64096C5C83D1572816F0FFA49D0F7A1F24F4DB74BDD3334FBE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.702{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.703{E8723972-A8CC-6356-0E10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.584{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA7600DFD671EF83279F46206495FFF8,SHA256=D49496578677AF1079C9B97646D6E4A481AD2BAE5B7ED47E06833870EDE3C051,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:29.919{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:32.112{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C01C2336CFA5C96401A5A3E9A304FF8C,SHA256=DAF06265B64557EC370FE7AFDB144E385FCA7AD9F841D34C98B3778515CCEE0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:32.125{E8723972-A8CB-6356-0D10-000000008902}100363288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:33.910{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C3D06EC08F660C98C78C86DCC66BA8,SHA256=635D3962D56B5BAB7DC9E7D367387CBF3AA7747CACF29E466DD0F955F736AE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:33.655{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCD639A3BA6492974ADD6C23F0FC924,SHA256=7A44A990ECE6F6ADE9B627F643B41F9C9F4E2E0E4A646CE749E96B0C079239C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:34.772{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E13B378D63D8E704DCC9F38F3F449E6A,SHA256=550FDD25BC73018E48D7F608C437D0853563778BEB6EF36C5B0CAD7345F91FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:35.886{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5D08F5C277AD64087EA75E9B527E27,SHA256=23683C1CF82B625E7F425D6DE32EE296D9419E268891CC174246D124E46A09F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:35.008{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63BC3011C70C56E774E3632424D20F51,SHA256=558DA9AA0929AD92C8C57317B7021C2493E24EB77AE8C0318B176C23B5FE8491,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:34.013{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60522-false10.0.1.12-8000- 10341000x8000000000000000193166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.940{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+3842e64|C:\Program Files\Mozilla Firefox\xul.dll+38be584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:36.103{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0575C6CC5257C22B48A9D5D3AB6C869A,SHA256=73381BA66D5EB56D2DBC1E93B0E36F61623A538224A18A9702F867E236637BFD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.586{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\AlternateServices-1.txt2022-10-24 15:01:36.585 23542300x8000000000000000193164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.586{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.585{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\AlternateServices-1.txt2022-10-24 15:01:36.585 11241100x8000000000000000193162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.486{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:01:36.486 23542300x8000000000000000193161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.486{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000193160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.486{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:01:36.486 13241300x8000000000000000193159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:36.401{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000193158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:36.385{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Config SourceDWORD (0x00000001) 13241300x8000000000000000193157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:01:36.385{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_16F939A6-F11C-43C5-B462-BE8A86302C43.XML 10341000x8000000000000000193156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.385{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.385{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:37.184{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BB5B3CCF085F5836D9195E86C246F7,SHA256=BCE522D4ECEAA84A6CC712C8561ED706F2319754D290DC6721AA43A9B2105C25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.969{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.969{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.956{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.285.1564014951\900420841" -childID 282 -isForBrowser -prefsHandle 5888 -prefMapHandle 9928 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b73f403-e37b-4e48-8117-49cb0c0869d3} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 9376 1ddc1e31f58 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000193254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.954{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.947{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000193228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:01:37.947{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.285.156401495C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.629{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7EF41F370334DC5CC2943B063FBF71,SHA256=364DA9F9E7524735616554F4E710593DD28D8D614D0CC081CBE4F9954F9DEA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.379{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.378{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.376{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.372{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.371{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.240{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.240{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.240{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.040{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\indexMD5=436E3C3207CFCFD569C4BB16F020A9E8,SHA256=60E3D23063F07F3641E423DACDF96A009B32DEF0A2AE204D2F3F1D9A470C6D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.024{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.024{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34687AC7B252C4C2F4893C662E87E697,SHA256=D56A32196D8F5C1FA42FEC9AB3349CD3DF5511440F756F0D146894335D2DB102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:35.953{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53709-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:38.284{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B609E1B440734F00D5559D26D620145E,SHA256=4E49A51B4F84E83949DFD0E2B9FFFD5CE95B2B348E0B17CBFA330C893992206B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.688{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A8E153AA655075BD56FA611F9FDECDE6,SHA256=1F9553E020A46DF4D60F14B0DCECAFBDB8323064B3CE57F1B5CD2CB75F1A9CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.651{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=365A83E36997CF2FC9455A6AF91AB50C,SHA256=41CCABA192E7764296ED799B929BD7F977279C177FA09EE60D7CC650F5F1E583,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.602{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.602{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.602{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.601{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 354300x8000000000000000193292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.403{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60526-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000193291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.390{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local56057- 354300x8000000000000000193290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.377{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60042- 354300x8000000000000000193289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.128{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60525-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.128{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60525-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.949{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60524-false104.244.42.66-443https 354300x8000000000000000193286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.834{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54533- 354300x8000000000000000193285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.276{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60523-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000193284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.276{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60523-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 22542200x8000000000000000193283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.838{E8723972-5A49-6356-0405-000000008902}5716tpop-api.twitter.com0104.244.42.194;104.244.42.2;104.244.42.130;104.244.42.66;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:36.838{E8723972-5A49-6356-0405-000000008902}5716api.twitter.com0type: 5 tpop-api.twitter.com;::ffff:104.244.42.66;::ffff:104.244.42.194;::ffff:104.244.42.2;::ffff:104.244.42.130;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.355{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0ACD8DFF52D9C221DD6A8037AE70B94,SHA256=852EA9506EF3C043E88403ABF7659CE8DA56BC13C417D6816123F3D0A3663E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.173{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64942C5899DCA84DCF5D1D5ED6DDF68F,SHA256=2581D5DA18C6306E0546D7425491D90E289BECDFDDBD9D75D7AFC8CD6078E5F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.076{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.074{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.074{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.055{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.055{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.039{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.039{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.039{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-281C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000193271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:01:38.039{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-281C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000193270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.023{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.14351467515787919364C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000193268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.14351467515787919364C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000193267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.285.156401495C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000193265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000193264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:01:38.008{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000099351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:39.384{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=612CD3CCEB5D16FD287DD7B0163EB97D,SHA256=4A52B5D4D3A3C732717B831502CFF7782CF15DFBA151E18F51A48A05FDC4EBBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60527-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:37.959{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60527-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000193301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.272{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5367F3534F566D873B7282C0C2DCEC24,SHA256=5760B6F9AC3449EEBBAFE5CD0A84B291295564615C259C03666F60773162EA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:40.470{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EB97ACB5F7080B0DF13D2BE3594D87,SHA256=56DC82006EECCADEF9F4EE6355F40DF7AA528C73F2D264475923EE33ED205B97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.887{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60528-false104.244.42.129-443https 354300x8000000000000000193308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.852{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51529- 22542200x8000000000000000193307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.858{E8723972-5A49-6356-0405-000000008902}5716twitter.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.857{E8723972-5A49-6356-0405-000000008902}5716twitter.com0104.244.42.65;104.244.42.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:38.856{E8723972-5A49-6356-0405-000000008902}5716twitter.com0::ffff:104.244.42.129;::ffff:104.244.42.65;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:40.327{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874278AEC54ED1FBA88A205805DB8058,SHA256=8F8334B1A29878F7632143F322A3A73190B13689B9BC5B55D7529A10703F7480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:41.563{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BEC0699842FE50E35E5321BF3292CD,SHA256=531FE67D2F96C7F1BA1182C7C235E37824CF57107384F7166D8A5C52A6B96E8D,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000193320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.537{E8723972-5A49-6356-0405-000000008902}5716d3ag4hukkh62yn.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.536{E8723972-5A49-6356-0405-000000008902}5716e5791.a.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.535{E8723972-5A49-6356-0405-000000008902}5716e5791.a.akamaiedge.net023.202.84.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.535{E8723972-5A49-6356-0405-000000008902}5716d3ag4hukkh62yn.cloudfront.net013.224.36.4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.535{E8723972-5A49-6356-0405-000000008902}5716www.macys.com0type: 5 www.macys.com.edgekey.net;type: 5 e5791.a.akamaiedge.net;::ffff:23.202.84.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000193315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.534{E8723972-5A49-6356-0405-000000008902}5716www.amazon.com0type: 5 tp.47cf2c8c9-frontier.amazon.com;type: 5 d3ag4hukkh62yn.cloudfront.net;::ffff:13.224.36.4;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000193314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:41.458{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72ACF66E56A69064A3FD6C488FC934B,SHA256=1E170FAF58E8B03FCEA7064A80A24C17C144C1F2D68174F15A5937BDC944DAFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.530{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54042- 354300x8000000000000000193312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.530{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local56895- 354300x8000000000000000193311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.528{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local52970- 354300x8000000000000000193310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:39.528{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55033- 23542300x800000000000000099354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:42.656{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA3FCDA17F35F0EB10699419B09BAD6,SHA256=F3B2DD6DC40C9D87ADA389FD75BBA46FA6C034BE218F93BFEA8A38FD4D93C276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:42.557{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F833C4797746E5B721A23CAF0034D88,SHA256=99C10233DEC5293A7278D3A1B6A41830A3F7A2FBD507D756915821076DB210E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:40.015{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60529-false10.0.1.12-8000- 23542300x8000000000000000193321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:42.042{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\6787MD5=BE2D84830316ACBFED5C41291DB9D2E5,SHA256=7F3430E5A9042DA31CA278B9DADC0F57CA7A767E2DC58696C7A7919EDCCA3763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.741{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100C2331C8F9DEAAB5B70D6C0AC1C049,SHA256=0F91E148ECEC926CA57CAE8FAD527EB8993883EEA468A987B585A800FF3213C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:43.587{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5EAC3A646F2B1C3F0B39BA5AD0280F,SHA256=AB2BC627E7620A47A5D5BA3D0C1BBAB4B626DC7F387D0AE0813E016605274FC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.564{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.558{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.554{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.552{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.546{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.545{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.538{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.537{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.530{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.528{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.524{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.521{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.513{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.505{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.485{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.482{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.472{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.443{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.436{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.428{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.418{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.409{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.404{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.394{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.386{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.376{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.367{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x800000000000000099355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:43.363{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 23542300x800000000000000099385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:44.939{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A1F834B2B98B752B9B4484B98A0B0D,SHA256=AD41DA69288F2A11B10A8B34907BDCEF5547F3E7716ECD126399FAFF38973CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:44.658{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946A59CDBB6972C2CF5D336556C7F97E,SHA256=F5352703E054F40433E8BA4052FD16EEF520AF7D8A30E8EB14F949A9F0568AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:45.786{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03155BB5D553FE770167DD2960DE6C54,SHA256=4F8AE0E0D77BFA816CA77F8412158953ABA8ED7370B1A58201B11B430900B328,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:41.735{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000193352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.939{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A49F9271EAE42265B0DAC6C293C673,SHA256=308BD426CC30D1AE54B719CD511D54D6BD1053890EE3649565B0C6EE7959951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:46.025{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0D9F6E633FCBA42406F67F6DD6AA4A,SHA256=8DF237B1D0D9FFE9581AC94D3F66C1BD39280CA87742EF68799904F0BC666752,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.780{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.778{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.776{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.768{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.396{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.384{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.369{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.368{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.342{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.337{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.324{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.318{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.310{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.303{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.294{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.277{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.268{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.260{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000193329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.225{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.221{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x800000000000000099388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:47.106{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F853B7DE59915C655AD0A431230F2B05,SHA256=01C9AD1649F6955CFF7AAF893597244CA3BB8D5DBF1F7064EBB617E39E39C55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:48.184{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F4EB3B07EC58CCE9213B1792DA0BBD,SHA256=DA97BAD7A98CA095B3D63EE8994A2F27420915EE654645F50C4DF76ADBCC27FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.809{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.808{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.802{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000193355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:46.097{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60531-false10.0.1.12-8089- 354300x8000000000000000193354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:45.990{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60530-false10.0.1.12-8000- 23542300x8000000000000000193353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:48.024{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56C3A003B74605621B8D9B8E5F9D53FC,SHA256=7147FBB69085492BF1B528D21A9B0712C37F089655F8D633B2E1505115C69B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:49.274{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21FB92B70201E5310F10CABD9D1ED72,SHA256=2EE0658861C26D1EC29DA673E78F592A466D95EA799F8BE744100B765B7AE35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.643{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.641{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DF47BD3E0EFA00E4480E01A0EAC34D64,SHA256=B292F9C1391A64B4058400F462BB3DF4DEAE743C45D6EA6A490C9979814F7772,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.570{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.569{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.566{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.564{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.563{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.556{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.554{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.550{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.547{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.544{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.541{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.537{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.536{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.535{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.533{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.530{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.515{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.514{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.514{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.512{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.511{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.510{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.508{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.505{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.501{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.498{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.496{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.488{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.457{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.452{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.440{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.424{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.409{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.367{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.350{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.345{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.343{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.340{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.337{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.333{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.328{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.327{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000193360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.325{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000193359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:49.124{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5523A5B8ABB7D875EB8B70FA5935E720,SHA256=B4EDF3D5BB378404335FFF4804A78A926C8AE06963BE118D113560A1CD5334D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:50.369{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35EA5A98B0CB919CFA2B8ADAA5949646,SHA256=76B5E6E47450152ABCFF226F8C522B5EA0D91C3BCAC30251A665B9C278029624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:50.339{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5A3005BC4F8A4CE31D2B4449E6B15D,SHA256=D9ACE7FD70D8CC09006AB862DC9E3CA3779ECEDC659A0E76A2890CDCD5E6698F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:51.452{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABB21BA6D3B20E56C83EF5D8FD789A5,SHA256=52F4D75E6EEA68B70E93A05AD04CF4437F52CF73B91BCFC1FA814039EAC228B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:51.384{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3D9902AB7780FED55D8E3033133597,SHA256=2725D9BE7CE1A92868B83F641C926910AF65D04841D71B38243AE725777E221E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:51.384{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:47.734{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:52.550{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15681DF4276E8386C3CF12DCCEF5494,SHA256=54E3B75F42AB4D687839D5FF2D0F414083D119A91FCF513D48B9786BB91E8B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:52.486{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC8E39E76AF011098C5332569136C55,SHA256=B4E9F57387FA9BEFBF1199EC8BD61DCFEB4730DF49DA486BB3BA4FBB850FCEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:53.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2B56DE4317C1A04960DB9543F4A35F,SHA256=3175AA4A6C7193F48F7019FACCFCA9B698B745DE840CB10CE1C42A23319C0EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:53.601{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFFE3B33D6AC213B4522EF549F976DD,SHA256=DD1153DFD02A456DC84A3C521251553BA1CDDE731407F0CF10808599A9B5EB16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:52.012{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60532-false10.0.1.12-8000- 23542300x800000000000000099396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:54.735{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF6EC1E0EE3FF43EFF9929D369D9676,SHA256=92E17A79D19C0A4B49AD614990DFE6ADD80B0582DDCC6A3DD27D775D46C195B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:54.673{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0BF9C9696879EC90CBEC44A1E4F904,SHA256=B299AF9635AA9ABBF70AE6BE278BEAD64759E5DBADDB76F713193CCA66E51D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:55.819{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35CB8FB19D6BCE965997A5225095178F,SHA256=3750B17AEA595047AF565D18DA0DE6147A2FB47C947D3500D3C83EE0E57F02DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:55.773{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=053F9F65EA63C2CCF9A5C39FADCB38CA,SHA256=E43AC4018F9D01E822192F678D60043414C99141979AC552A3C2936E48E1621B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:56.899{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67E520FBB2E1625A0AAEB59ECA764C23,SHA256=859751B6AC6C1A3D37143928B869FADBA7E3109E392B1D80296422AD5907A345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:56.879{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0482B2544FF5E99D016178B5E4F4B7,SHA256=E12AC7A56B07F6892C0EE1D4DEDC9FBA67E705A16913EAC7F5736F90BC6477E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:52.888{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000193419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:57.973{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5A23CD5735ECCFD2CDEC5DD42DC9BB1,SHA256=A71F0467051FBE8507EEE7423B6926346B2DD60E9F7BCADD1897D3024A53EB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.987{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127C60714F2491F201DD211E9230D2D9,SHA256=E6ED2E8AA78DEAA1DDE90A7F2333B18D72D6913014FBA775E2F5A14FD357E094,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000099422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000099421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01393536) 13241300x800000000000000099420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0x2e1acb49) 13241300x800000000000000099419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7b9-0x8fdf3349) 13241300x800000000000000099418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c1-0xf1a39b49) 13241300x800000000000000099417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000099416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01393536) 13241300x800000000000000099415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0x2e1acb49) 13241300x800000000000000099414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7b9-0x8fdf3349) 13241300x800000000000000099413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:01:57.987{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c1-0xf1a39b49) 10341000x800000000000000099412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8E5-6356-480A-000000008A02}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A8E5-6356-480A-000000008A02}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.925{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8E5-6356-480A-000000008A02}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:57.926{3A30D728-A8E5-6356-480A-000000008A02}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.996{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E879DF55EB9C0F75780AA8428A87A17,SHA256=0EC94BD4C48FDE8B929D3A38906A1ED2233D8DCBCD9FBCCA417DFACB22A2E5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.752{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=475EDE3E9652C84D710EE8873A1C13B2,SHA256=471477213366C4C32F25BC7C8BA1B556521BF8B77E7B01FD5F0F5A1FC3C8DE92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.724{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.724{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.724{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.723{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.723{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.723{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.596{3A30D728-A8E6-6356-490A-000000008A02}2744C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.595{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ACAA3362DE749287CF8FBC1661AEA154,SHA256=BC3F323745855D668FD214B242AA54D1E6F041D18B02E41ABD885E7CFA2C007C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.112{3A30D728-A8E5-6356-480A-000000008A02}1132748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.995{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.995{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.995{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8E7-6356-4A0A-000000008A02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8E7-6356-4A0A-000000008A02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8E7-6356-4A0A-000000008A02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.109{3A30D728-A8E7-6356-4A0A-000000008A02}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:59.106{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298281292C53042FAD1475965635472E,SHA256=46F7D1FBAD1790BF9E85274675265A083AB90B6E521158AB1D58E88ED89382E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:57.868{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60533-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:57.868{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60533-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000193422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:59.385{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AFDAC426017E68CC9B192E7410E46428,SHA256=FA629D69F16AD2A61D73D5FB0B29FCD111B387982D94F9C3A0E8938345F7733A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:59.085{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA73466D569EA8C59531011B059478F7,SHA256=79C262201F9AA959B34C2598B9FD07099E57F6CBFAE95AA2CF82C5DE42AEB997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:59.073{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4988C8BF01B77E22B3CE2B3141A8C8C,SHA256=3AF2123A5370678734CB3D443AC9225D3C7635505F98EED05819CC424306F16C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.305{3A30D728-A8E8-6356-4B0A-000000008A02}31442732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8E8-6356-4B0A-000000008A02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8E8-6356-4B0A-000000008A02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.104{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8E8-6356-4B0A-000000008A02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.105{3A30D728-A8E8-6356-4B0A-000000008A02}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:00.057{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9943D0D086A08CFBE683378939A2AA40,SHA256=209690A6B5214ED430DFB6632F92B436584A6CA4EB3BAFD287F796BA4FAED458,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:01:57.990{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60534-false10.0.1.12-8000- 23542300x8000000000000000193432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.154{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24295D82B6397E3185F135844A28543A,SHA256=A5200F566382EE4F091C3A29613564FD36599FBE2E8D9765E3424D3ADFF78B4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.085{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.085{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.085{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:00.085{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8E9-6356-4D0A-000000008A02}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8E9-6356-4D0A-000000008A02}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.930{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8E9-6356-4D0A-000000008A02}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.931{3A30D728-A8E9-6356-4D0A-000000008A02}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.477{3A30D728-A8E9-6356-4C0A-000000008A02}40723660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000099493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:01:58.813{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8E9-6356-4C0A-000000008A02}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A8E9-6356-4C0A-000000008A02}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8E9-6356-4C0A-000000008A02}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.258{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.259{3A30D728-A8E9-6356-4C0A-000000008A02}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:01.135{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A648FBC67F9A940954150B259055B3E9,SHA256=6E260687A6E5E1EE62C55375745CDE65A08849FB00F4150BD3C1E7F0E849B56D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.891{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.891{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.891{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.891{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.890{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.890{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.886{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.882{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.882{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.882{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.881{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.881{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.881{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.869{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.867{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.856{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.855{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.855{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.855{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.838{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.838{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.838{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.838{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.823{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.823{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.823{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.823{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.823{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.785{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.785{E8723972-5646-6356-1600-000000008902}13006520C:\Windows\system32\svchost.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.785{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.776{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.776{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.776{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.776{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.776{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.776{E8723972-A4E8-6356-590F-000000008902}101127960C:\Windows\system32\cmd.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.775{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000193435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.754{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:01.173{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5148343CD09ABBCFC37512BB247EB32F,SHA256=EA5388CD5DE642EEE92146BAD922ABF17ED910A011880D8EBE0966B49E4DE7F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:02.441{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088F75E44398FEC9E1B38B8819849BC1,SHA256=7B4294535BDCF3FDF009E96F5BB2E49A480BF9E65CEDD80363632592997E2D04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:02.511{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6839A97595DA774762515B4C0AEED8,SHA256=4111BDFEA599F60DAB337536AFBA5DF98315E0EF0DB9D80295E09AAEB424BF81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:02.355{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=617BE67CE4A0B4E9595810EFE30E1D50,SHA256=E7C64B90983958E8BF8BFCB22E6BADE3D22F4AD0BE1AAD0CBB9745B861CE0E2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:02.180{3A30D728-A8E9-6356-4D0A-000000008A02}24483872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:03.510{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5211311E0BBC62A2261DF3860ECCDD24,SHA256=4018CDE08E5CC02D967B1E6A9116DAA604576642912C1DB6313EA443A4ADEBCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.629{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.627{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.624{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.621{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.619{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.614{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.614{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.610{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.609{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.600{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.598{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.592{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.590{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.582{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.566{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.552{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.549{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.539{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.507{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.495{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.489{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.480{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.470{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.459{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.443{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.408{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.392{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.384{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.379{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x800000000000000099511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:03.238{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C607CB8F2E05FFD484BB3D92B66946CE,SHA256=06C65ABB151D5D888FDFAD34299B6FAEE41467429359729BCFAAC4A384889807,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:03.014{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60535-false10.0.1.12-8000- 23542300x8000000000000000193495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.625{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED059B498A6B684D3E9CE8E1E02E5E93,SHA256=9E6D8F031BFB4D8F40E58551B9914F1295E853AB30FAFC4256D559046CD5BE6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52568660C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.541{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A8E9-6356-1010-000000008902}7832C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:04.525{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:04.686{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA3D05ECE3CC4E7CAFFE2A20D63DB73,SHA256=69643837C049650B2173418DF4B0F4C193F8D62205D903063C946204A0888A73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.902{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.741{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366B4EBAFDB4F8AE1DA1353D86C37C4B,SHA256=1D2ABF34D2D06F214390BE017B7909CD4EF7E38A08CBE92D063B1132C033FB33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.640{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99520FBF18E6100671738380B88E33AE,SHA256=14EA867B2DE4F76E0346035D71FD55019B8E780FE1AE291279372C0E8B2E44ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:05.555{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.020{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A8ED-6356-4E0A-000000008A02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.018{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.017{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.017{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.017{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A8ED-6356-4E0A-000000008A02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.017{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A8ED-6356-4E0A-000000008A02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:05.016{3A30D728-A8ED-6356-4E0A-000000008A02}3212C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:06.827{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420BF6A2C5EEE84657170DB468FAEC0A,SHA256=FF9EA79E549ECA672FBEE273189AF6FDD7CF48914FA2676B081D8B5B69AF60DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.934{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A8EFE6431A47130AE15404819B46435,SHA256=15BA6AE784D6F89EBDC1B2FB2A1D6A40B59EB81112778EDF8FDE3991629C0F45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.771{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.769{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.767{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.762{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:06.089{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=562F78A980D0B1CA4D1570E34F28CB9E,SHA256=58A12443B42B52831F87714E24DCB92CE6F4EA9BE69F34D9D488943D2586D8EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.406{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.395{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.390{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.385{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.382{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.380{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.378{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.354{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.348{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.337{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.331{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.325{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.317{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.306{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.297{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.291{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.283{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.275{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.239{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:06.237{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:07.912{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB2351430762C300D809500E6700C23,SHA256=47797C6A5321317206E46F6A4A4633380BD6048567CFF96D6A0FA971C545E134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:07.851{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885B5940505F01EB23AEF567C277624F,SHA256=4669753DEF25AE4E146C9A05D1F6640C6BC4B7E0F5FE425CDF10FA6BEB4463A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:04.751{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:08.997{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D917EA63BFE9A35E90DAA2F34E6CD4,SHA256=4219742982C89A47AFFA09BAC2922657026921D4C1A6EAA307F769BDB34AFD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:08.880{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F696A772C6E6EE8A4963533A280775DB,SHA256=D70F8D3D76B4759707AFFEC7FF1529D6D9C99908F4B8FBF1476E94E11D1624B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:08.794{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:08.793{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:08.787{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.554{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.553{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.551{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.548{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.547{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.536{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.535{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.532{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.530{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.527{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.524{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.523{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.522{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.520{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.517{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.504{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.503{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.503{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.501{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.501{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.499{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.498{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.494{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.492{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.490{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.487{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.480{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.478{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.448{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.445{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.431{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.430{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.430{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.414{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.404{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000193548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.370{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\cache\caches.sqlite-walMD5=74AA5966AA8A8B4C05C44C79990E6BF6,SHA256=8B3754ECE142620C3EF0DFE90E84D416FD46F205F5225B80EF257C2741FBE0F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.369{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\cache\caches.sqlite-shmMD5=8DC633A24EC4BE65C27C59D520C017EC,SHA256=968F283D9D0105CC09553019E52EF97DE35197D6044F04B007EF14AEF1439DD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.350{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.341{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.327{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.323{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.321{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.318{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.315{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.313{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.312{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.309{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.308{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:09.306{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x800000000000000099562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:10.072{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=064BB424D8957A7D78635C617EA6F05C,SHA256=8CA303609A5FAB4385702C419BAEFB7DD55B59531D9D083D77F1E4D68B003E7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:08.945{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60536-false10.0.1.12-8000- 23542300x8000000000000000193584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:10.226{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEC02D6641DA074AD93E37150593FF5,SHA256=073F220DFC9EF045D9B6F39E0C53D56B8F7444A7808ABE1F317297D7963B2890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:11.158{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D937D8F62C6DCECE7930FF6B54C39316,SHA256=4A55893093E9BA81CFED452ADDDD0E7D9143267A418A6D5C8EA768696A406A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:11.277{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA5A90CA405A479D310025153B8FB22,SHA256=46DB75200B0E37B30BB38D862837E009FD7EE39F895A9C27BBF22A469ACA2196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:11.028{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=60652AE03C4AF309DC5C642FE466C4AA,SHA256=2E9C4A761F42672DBF76EF2F57F884FE7DBA4BC6CCC7D88BFE4954F02A6A67C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:12.241{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7EE71BDC87D00B5896FBEF189C5991,SHA256=B9D36BB92133C22568E563820DE3E31BBF7B1CA1AE841AD1BA6C07912AD02F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:12.309{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43CD48EC7B0563A61EFA4DD062629181,SHA256=D9498D8B74FFB5BA8A3BBB42FF06B34D1C8337028CB86E6457BE8BA41DCDE065,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:10.756{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:13.347{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B62D76875892750A26CCD1BE3CD18B3,SHA256=4FE8B86D31A78722D44CF9393523D37E6D4AA59973A4711E9DA27DFFEA56F150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:13.364{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D9857A8E0FB4BE3590BB0F6954D6693,SHA256=37EE39753E9414187B057FB1B41B0468715C179C4B8530A437955AB6788E4379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:14.445{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA458EC0FC4D9B6251ECB96BCAFF611C,SHA256=9773881EF862495803176A3770DCF3A081E690F903D7D45EE1AC400394A49481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:14.412{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F520E9855A80908336D0EB0B5B533F62,SHA256=54038370624B9BF77F64690729E81475C00A002DB7F0FB6A38F6A0543A797506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:15.534{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B099AAC01CDD314EB4F560F3F1B10B,SHA256=E6FBC25B1FF28B4CA7A275A619E3735490C9C2813EDF5F76758058EFE851FD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:15.467{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8641F65BC272B4FC54B65F847858373A,SHA256=2DACB747BC0ECCB952AAE09628786017F7E5E067C39FD8B4742FD979B65B4E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:16.617{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4929CD4D524DF66034237ABACE2B3A13,SHA256=023C06E0BDAF53CD3B1A27AC8AFA7E772C06E9F274C76AD1F00C44BC75E52844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:16.516{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7279B00CC2E959B917F65E6EE502270,SHA256=5F1DD6EF58F3581F470195507810506456EEE9AEC809F26F805170C789740DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:16.037{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=FA8266091804511CE9F28E16DD5C7612,SHA256=6712B92E44FA8A20AA444FF45AEBAA9C67A938FA64070CB5BCFDBE3244D7EFE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:14.006{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60537-false10.0.1.12-8000- 23542300x8000000000000000193595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:17.672{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FAEA7A956B9128F8EF4E5863C292FA9,SHA256=D05EC49AC8C2711149D5E03F0C9E30AED2ADE7C04DBF376372EB14C4C6D43EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:17.945{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:17.712{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=722CA6D61805E3AED7428571A8B060A1,SHA256=B9FD8A6AE83025D99E7142DDC594957C9C6C277CB688EE6F3C56081F380F7942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:18.745{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9EB010FCF28C5F544D09EE4F6D9CE1,SHA256=30C24B7A176295F1FDC17A6752054879C54255897FC274B1D076CB0BF47A0A87,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:15.763{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:18.805{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358162AF3476688C56C1432592F42CEE,SHA256=E29E940E6B857BAB54905B0CD564B41FF1AA76B0358A36881D875F460A8A4AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:19.788{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD76E2B1EA784FF9DC1F29C1A6AAF04A,SHA256=F1F3B2D7C695A764807A8912CD522C7BA7189AA0D6A6CC44E3740B2C23149C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:19.894{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=522924725249114C529C710E5A92F59B,SHA256=A7F64E7FE030BC56D411AD77DE61237D6C351D25A26C11E475B6E08EE210F9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:20.845{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C035E61024647DB62A1E69887A68050A,SHA256=5A4B679B63235BE51F10A37E771F8D494EE8D5F0C4BA28B30612488A1EDF91A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:20.995{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F58389F104DB9158290EB103B2A8539,SHA256=0A48996B23B1533382535CBEBCDA1F00F7575163DF8562BDAB5F99F1D84F9160,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:16.623{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53717-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000193600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:19.965{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60538-false10.0.1.12-8000- 23542300x8000000000000000193599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:21.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A105B95CF124C5D02C5FDA4138CAA9,SHA256=DC6B83A4005536B04617B80B04CB5A5FF1B33493BCB89745AD0C18B3471E5FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:22.927{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12889B9F5CBE19E2AF23E429089FFD4C,SHA256=FA688F4AED3063FCC92433199DF30A19383EA5AA98DAFC919C0D88BE840649F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:22.073{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C48C8C8AAE30709004D2CDA2015B38EF,SHA256=609D13C0388D3C4FE43E6094C12D61D234EA306EE21B4DBD96F654EDA40BC4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:23.965{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD639BD04185962A07BB817E7FED424,SHA256=BC830788FED366C7AF6D10B131442EC0F280808C2E701515C94DBC292AB665B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:20.797{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.632{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.629{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.626{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.624{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.619{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.613{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.609{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.603{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.599{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.595{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.582{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.573{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.548{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.543{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.534{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.490{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.476{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.467{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.453{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.435{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.427{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.411{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.401{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.384{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.374{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x800000000000000099579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.369{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x800000000000000099578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:23.161{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C43A95FC075D5FAACF772731E8B540,SHA256=EA0D0A527D97BBDE7047206216FAD91013348EDE0C06BB59BBDEF1F89236F28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:24.390{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194BE566A79C3C6E5809BE0FCE15EAA3,SHA256=E40000EB8B6839D65E02D4A56F1950AF5AFE560EED1A9B53DE601A58123A5B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:25.460{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4091EFE1E055DEB603B44E5FC039E47F,SHA256=6BCE5598BC1B7C43FD8A546825F4FD22C5BA38C488B40F9A7F7E7B01744BE292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:25.418{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-343MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:25.015{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CBC81449C8513BFD39406E9B37601C1,SHA256=EDBE7CB8FD283963EEAA3CA00764A3AD9EFAB3729B1CCD95A73E2887C591F5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:26.987{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-333MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:26.531{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEC34F69BE716B3B574A2BA4A50788AC,SHA256=B5312FDF125819E10D3CE65DE0122B95F9AD0C21737EA4B23DEA000C6A325390,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.841{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.839{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.838{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.833{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.707{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A902-6356-1210-000000008902}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.705{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.705{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A902-6356-1210-000000008902}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.704{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A902-6356-1210-000000008902}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.703{E8723972-A902-6356-1210-000000008902}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000193641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.466{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.450{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.445{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.437{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.433{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.431{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.428{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000193634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.417{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-344MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.391{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.383{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.367{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.359{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.350{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.338{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.329{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.313{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.303{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.290{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.277{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.234{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.232{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.143{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.143{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.143{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.143{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.143{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000193615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.143{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000193614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.085{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=80ED65C4EEE4DC3A77B5FF2814E6CCF5,SHA256=2C0A2919917791C7E09EEBBCA297CC823415930DD06243324B4629B1FD073E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.070{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59D05394B623669C44BEAF0C90ADB97,SHA256=1CFB200EDC66EC6741237FA9F0A529C4B0F2DBF7784FC817515B0CF3E37D8B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.033{E8723972-A902-6356-1110-000000008902}5308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:27.989{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-334MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:27.616{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E262284FFF87CB9322FD47BAE0183DE9,SHA256=101F47F68A60662BA401771C4A4C2F13C71B4F4A85F41F0C80B0A53B21035466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.533{E8723972-A903-6356-1310-000000008902}93925484C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A903-6356-1310-000000008902}9392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A903-6356-1310-000000008902}9392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.373{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A903-6356-1310-000000008902}9392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.374{E8723972-A903-6356-1310-000000008902}9392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.191{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6866E49041DC95D6BFDCA8622D423487,SHA256=13953C1EE0EE3D1F9A6DD7251B0C5DF2BD2C7A677EC99A572935A72D9680EBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:27.117{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A88BDD5DA2AAAFEE0200B7F930C9958E,SHA256=92F50D960C665B13F92D0B96F0D8B4AADC9A46297F06202F4468FC21CCAF9AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:28.700{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9384BD7ED39B65C7CC0F064A61D58C41,SHA256=C70748C0C188F70A4A6F7DC208ED1EFDDB969A37FA5761C37AF15025FF0F1AF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:28.879{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:28.877{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:28.872{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:28.715{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:28.234{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D7D959042A6D2ADE47109003A79C0AA,SHA256=562D09B821EEDCD460FBF3CC95DEA15E3200BD3D25EB6CA7F44CA6126BA85C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:28.192{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C2809A0602BDC9BF0EDC39500A5EA,SHA256=AC161B6A5740A95379F6BF7DE1482B7EC5DE8970EE48C4E761B34FD2281D661B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:26.005{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60539-false10.0.1.12-8000- 23542300x800000000000000099616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:29.790{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B28A3D642F5049263AA96971B2D55858,SHA256=636674BBF8CC2E144369023EF0C80639AD37D5F32F427EDE88CB3E5DB7D1F966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.632{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.631{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.629{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.627{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.625{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.618{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.617{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.613{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.611{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.608{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.604{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.603{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.602{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.600{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.597{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.582{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.581{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.581{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.580{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.579{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.578{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.570{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.567{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.565{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.562{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000193695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.561{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=72E6BCA1EF69755F25118D9548B0CC37,SHA256=0173EED1B5783857DF87AA67C24DFEC0E60A458EECB06322AC66F61A4A9AFAB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.560{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.552{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.550{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.521{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.518{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.505{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.504{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.498{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.485{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.477{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.446{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.431{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.412{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.408{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.406{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.403{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.400{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.397{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.395{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.392{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.391{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.389{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000193672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:29.235{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334B0C3EBF7570EB15AFDACFDEED67A9,SHA256=93CC1267EB62AC636916DF969B6197988880AAB7F647A3EF91ED81E134434A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:30.875{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458842D038CDCF0309B26AABA51F9C0A,SHA256=D8CD1D9B35CE992EA28D051356E8BECC66A8FF8B1A840F679197253CDED55CB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.742{E8723972-A906-6356-1410-000000008902}48682412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.607{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8ED9E80CAA033B1B0B2F4BCDA903321,SHA256=AD7D529227D6D2C2A5E867082421960BE3F12CE0FE6E852AB0EFBD0FD3C34879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A906-6356-1410-000000008902}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A906-6356-1410-000000008902}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.536{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A906-6356-1410-000000008902}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:30.537{E8723972-A906-6356-1410-000000008902}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000099617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:26.817{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:31.968{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9C3E8893A51463F313814FC3F6603D,SHA256=DAE82D7F8D6521D96566B9F2F7EFDDB16590AE3E02373AFC8F8DE7CD966E7497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.923{E8723972-A907-6356-1610-000000008902}1007610152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.744{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A907-6356-1610-000000008902}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.739{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.739{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.739{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.739{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.739{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A907-6356-1610-000000008902}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.739{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A907-6356-1610-000000008902}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.741{E8723972-A907-6356-1610-000000008902}10076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.644{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6322BCA9084C0256C3045194A9DDD82E,SHA256=70E6594290D04DE5520754CC4F4934C59E9F9759DE5BA1E435E0333CCDA8F248,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.390{E8723972-A907-6356-1510-000000008902}94523604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.209{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A907-6356-1510-000000008902}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.206{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.206{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.206{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.206{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.206{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A907-6356-1510-000000008902}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.206{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A907-6356-1510-000000008902}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.204{E8723972-A907-6356-1510-000000008902}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.793{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06998010DE8E7362E1271210CB8801F7,SHA256=5A57918417D82A5F5600160C366042F3D197506067FC82774061BD96D3FDED77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.678{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DCCD0FECC2456AE59F861F9D395CA96,SHA256=441ECD7022A270AA0F74532FFBE344DF07FCD4B126F29452EC1ED5480A07BB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:32.617{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=816F218C44EA4851582C47F2E79A430A,SHA256=E486F26CBDB1BBDD353D53FE3A06759045DA5754CA843F3AC2577A082A3854AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.613{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A908-6356-1710-000000008902}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.611{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.611{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.611{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.611{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.610{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A908-6356-1710-000000008902}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.610{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A908-6356-1710-000000008902}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:32.609{E8723972-A908-6356-1710-000000008902}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:33.725{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAE822575F558698541B69D4AF59F98,SHA256=AD4AAA180D9894D0346296EBA37AB1C1D6CF446179ADEB8B952057EBDA20CA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:33.055{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EAFFF856849BCD65FC5AFB33C5D84B,SHA256=DD8B3F03861A6959D8507D7577F038F1CAA11F03C1578253ECC0241D7D421BCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:31.010{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60540-false10.0.1.12-8000- 23542300x8000000000000000193762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:34.765{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED9F7890165752DD1D7D55CDE40F7B3,SHA256=F3F8FFC4440ADC8017B73D19BEA6B89AB7E101F4A3ECD388AECEE5E752BF7463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:34.132{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5A1D27252A24DB7C02E96AC7630C76,SHA256=60C5FEE9E3F13C26260C530A2C6635286DE757D2AEBB9EB28DE7F922F4BCB11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:35.815{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE48865CF5838067F1145A671C117E7,SHA256=F5314F15A957DD9A87F85ABD50B1BD8A127804AC2ED93F65BB6633585FB84CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:31.842{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:35.197{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C113103949D2B81B5774F156DE35ED4,SHA256=63FED1B12CB6DFD638280168E886F56780C44C8F1F64C4E0E0DAC28A1896E485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:36.889{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7482DF562A51F141086A4334F845D57E,SHA256=47CD9FD304DF84FAB76C4E5707197D2B3F62154722150C47C10797A2C41ED80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:36.265{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3175AA44CAC129ED4D9F89966800F1B8,SHA256=03548C57ECC1AEDD8872EFF09B1BB0F05F21ECC73310EE9D684EFDC04912CC0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:37.938{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443D9FAC26460F0F02B377E2FA33ABC0,SHA256=3A8EC9CDD216CE291D969944C3B8B8FA0770343D4FA1C3EDCF83E293E3A71B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:37.347{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC099801453314FA21B063C07367BD9B,SHA256=303151BB193BF3E37F76DC33A873DD05F42BFE25C310CFCA34D126A9E6F1D65A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:38.993{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B821B1B7D61AC80AD3396792DFD84A6,SHA256=E9F7AEB26DBE47234E3FF3CDEE62B870DDC5708CF7B86E962F3ABB6601EB24DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:38.431{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979B375FECD4861463AE0B79E8F81E7F,SHA256=253ACB666D678B204A497B56BE51F2BE95AEACFF8364CB888DA4A61F6E88544D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:39.528{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AAA868DFAC4B6D5B4A3B38F11418830,SHA256=D52D2BB161FDDAE3F144B93C0DA12DF4D7E0CAF82139FEAFF982A2714B6A92DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:37.734{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53721-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:40.610{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24DEBFCB207CD573CA57D05DC4788F6,SHA256=4A97A9A901CEFD7BCFD91D51333307C74F1AFC60137B4AEC6BB4D5501F40B3BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:36.978{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60541-false10.0.1.12-8000- 23542300x8000000000000000193767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:40.042{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0116FCB79C087E6BA22537A7B39F560,SHA256=F367507342BC7DA5FA762E67ECBB118E96FE728F90E140440EED7C6BAF9EACB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:41.691{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7716A719158A31EAC4B037E1CCE7F8,SHA256=F13C1D6549503CD5C79FE7BF58D5C42F18077D10A2392B4950B70DAD775C8958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:41.081{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716BFC43D36A2911092BF96595E486E0,SHA256=7412082C3C0010D5674A8251B411F674A0E3542754B41EBD1DC09EC34789558E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:42.784{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FA616EF4A7240E4E0FA8838504DD5B,SHA256=FAC0F29A45402B3CC81DAD4DEE4B411FD548A677AF6D54A30E5CDE5ACC87577A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:42.131{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C53A017D694AA737A63A379E44FD0D,SHA256=569D40548028AEBFD923F17F03471475155BEB6D945F0CD193E86E190EBC8D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:38.601{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl55571-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000193771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:43.216{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBBA03B52169606C9C9F7C36D50CF6A1,SHA256=880D7BF75E7B8C2F169D0FB3EC2D95BD24B4EE45D10C00F2D7E5F756BAB08EB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.578{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.572{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.569{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.561{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.560{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.555{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.555{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.548{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.547{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.543{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.541{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.536{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.534{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.524{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.504{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.486{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.483{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.474{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.442{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.433{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.424{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.414{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.405{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.399{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.390{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.383{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.375{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.365{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:43.361{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000193772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:44.250{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F16ACAD06F1768FA0B2C97B93B4E5C3,SHA256=C44F37D1D238E2D6572049FE42DD5F687B01AFB2D3FB3A29CCB9B5B2225070FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:44.522{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48412B141A5AFA6823D8C9CD3EE08732,SHA256=87E5D313CD31E8292C574A5CAC5F4153DC93E7DE2BB8092FBAB14AE078C60B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:44.087{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C825980180EA8E27812B5386C09C7EC,SHA256=25FDBA6C7A40189D8F20317E7CB0F9BA626D66750034A289A30D94FC6258CDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:45.290{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CF5C305D26BD970A6F0A41A0418E85,SHA256=0433E5E05821BB374A3D8F2211D9D89CE6891A3CADE720F426DFA12FE24F797C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:42.827{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:45.200{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABCD13DF0DE279F8AE1A118264F3CBF,SHA256=8858BB42D82257EB7660D1447679DB0E93FA5221C643A7C005BEFE5011A1BA49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:42.953{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60542-false10.0.1.12-8000- 10341000x8000000000000000193800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.785{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.783{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.781{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.777{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.400{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.389{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.385{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.377{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.376{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.373{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.370{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.348{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.342{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.327{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000193786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.326{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518E8657462BD52EE77F4AD81BEBDEC5,SHA256=61D2FF1C65827D56D6FBCDA19802046613E17EF2567D1EA9AFFD6A1F4777690C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.318{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.311{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.303{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.295{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x800000000000000099667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:46.282{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41588286B6A17F3E47A921B1A3E4552A,SHA256=5E1B466D2DE9C3BAA42A47EA86CFB9919107A7AF8540970B0841DBC4D0EEB021,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.285{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.278{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.269{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.261{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000193777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.240{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.222{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.220{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000193801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:47.454{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F628840228FEDA8EFABF87F2F2BC557,SHA256=5C69E0E8CCE486966457091C3DEC6BA8FCE3A349416E1180F18CB22425F8BD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:47.793{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B1990E73850E672FA3D5EB7D3A611B2E,SHA256=974F9EE3A35389C4F3681835E735048D6DFF6A53362DBD35306AED4B1FAB9100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:47.367{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FACDCC55DA93CB89E02A52BDC19CD4,SHA256=6ACD951E4D980C61F6FEF708CC867EED3BF98A6C7F937F7BF96BEEBEFCA10547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:48.802{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:48.800{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:48.793{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000193803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:48.555{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24E08C955AB7B3B673DFD616FE11F75,SHA256=97B3C1A90C0E67CD3E67D5D28781775FB5A8B3623B1142E16C325E5B1E191F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:48.453{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FE8C1D6189A1234CF4546436152034,SHA256=0CB373F8460565C5E80437AD6E53D9BA4F4D6B7FE6CC3E1DDDDC21B2DC28222C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:46.115{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60543-false10.0.1.12-8089- 23542300x8000000000000000193854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.842{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE3E5CC1B127524FD117F375525AB7C,SHA256=C71C84CAF8546DB3178802F64B254BE9C488E242E66777B2F6708ACD77748B9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:49.520{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141500F8182F0DCDBBB07B59EBA41F08,SHA256=4A180F9C87762DEE8DF34F01EFA89054C522E3350DA92B4A076EF3C30C908814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.552{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.550{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.547{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.545{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.544{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.535{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.534{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.530{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.527{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.519{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.512{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.511{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.510{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.508{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.504{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.486{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.485{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.485{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.484{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.483{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.481{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.479{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.475{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.471{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.469{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.466{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.458{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.455{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.428{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.424{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.412{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.411{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.411{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.396{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.388{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.353{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.346{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.336{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.331{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.327{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.324{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.321{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.318{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.317{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.314{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.313{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000193807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:49.311{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000193856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:50.975{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36411758F04F8F9C5172FFDBC1937DA0,SHA256=CF90628A2ABAC3F26092172E6272C0591CAB3C77072A66FCA97F13A509E002DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:47.829{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53723-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:50.597{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42399E9CC1F06CD090CF022905DA0A1E,SHA256=920AE4C0EF29F53BAB0CEB04739EDE556D69A0862E633E994C1D6A1D80E4754A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:48.143{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60544-false10.0.1.12-8000- 23542300x800000000000000099674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:51.671{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D19429596C418E5CCD01152A1F2DFC,SHA256=7071AA065F011893F15874A9B8251BE27565AB57A4D6BBAB07BB81468588400E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:52.758{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5F0A25AB5D747AA898383EEA15FD0E,SHA256=D3CFCC5D1E71A07FB71BF00871598F68334719579FE9DF734915477D52DDC3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:52.029{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F824BF0861240F62956395E62460180D,SHA256=F03A735BBC0826662E58A4E45F9AA110D54609B2A332697E677EF5F3C7AC82DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:53.845{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3FC05387D0F5746604BE9E2F296C20,SHA256=97AAE1631A7510754DB9F65964E7B01127339995695CAD5B2E85320CA91713C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:53.080{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECC868377E6D35B6650736351050182,SHA256=75B802810229B68C459C382C26E0B86AA1913C42BDAD24E2068AC1F010898520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:54.939{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD177478A6DCE2CA636422AA9ED8EB21,SHA256=9B2CC1E6AD81255DABADF1CF0E579EBCF88045A9CB15E8C82B7DAE77ED1AA22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:54.232{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=383BD31ACBD01793D94DBD329143F8EF,SHA256=6F5CABB0FAA963C944D538148FDDABF45420D3903B37D27A69EE9D4D0ABBB0E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:52.850{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000193861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:54.069{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60545-false10.0.1.12-8000- 23542300x8000000000000000193860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:55.318{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AF45C65B811039B3126DA4144D8218,SHA256=D18A6C31F279FE391AD32F6BF41BFA5E1024866B6FBE096DD156E5F51F7A072D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:56.040{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8685CC8AC2A697B6876F51AD503B00D,SHA256=D4269AD39D2057FE01F385FB40C685A4CC0E4A0E0DE31A21A5CC6AF464D59419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:56.383{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DCCC754E36B42680C434A33B84DA64,SHA256=4460E732B9A1E7513A7C1DD8081F573D63ED0E8AACC1FD726CC2779BADABD315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:57.440{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA5CF06BA3A143C24905842B04F5AA9,SHA256=A080098DACA01ADDCE5B346B1570871898ADD4B145F221C66B038B6EDEBC69F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.933{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.934{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:57.141{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D580F1EF52F9042257D4E2F145BC1C84,SHA256=62DFC15FAECC266B863F7B41BAF6AC3027E79D319AAC37896B5B4F885B83AAFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:58.485{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4CDBE49E2257A19707C229AB1568EED,SHA256=80431DF7F3C425B87EE73BB03A56142E41A7767CEE975F6BF4EF04963E34DE6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A922-6356-500A-000000008A02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A922-6356-500A-000000008A02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A922-6356-500A-000000008A02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.603{3A30D728-A922-6356-500A-000000008A02}580C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.602{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CE0D7D4D3DCFD5130A6ED8D2D777342A,SHA256=B70B86989342EA6EAFA3E32C474A46DD162EF07874F63DE68743062258A42ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.227{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C892978DFAACAFDDBE273252125AB40F,SHA256=0381DE097E12EA4A6BA254E5FF68F0DB00343F4FED45B70D45CAAA817F04991A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.105{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B26B8F6B9BB66EF772997626566AC50B,SHA256=298F9D71801740601E843F015D0B80EEB99CEF8C478EEB64DC536B755AB647D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.024{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.024{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.024{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.023{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.023{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.023{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A921-6356-4F0A-000000008A02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x8000000000000000193869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:59.810{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1B00A48723D983A2F22F031F9B587984,SHA256=079812522ED6BEDD4ACD28AFD132C5D07818D6C7A5587357C986D6C7524DA60B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:59.541{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9B13EC12E50F5AA22DB77978F77610,SHA256=A61AEB566A71C9D26912C84C52CFDC829E2B36664EAB56B452E6EE5F9DDF93F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:57.874{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60546-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000193866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:57.874{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60546-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 10341000x800000000000000099731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.439{3A30D728-A923-6356-510A-000000008A02}8243368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.314{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65E0A629E5E5E1D792965A655FAB557A,SHA256=FCB5E45EF070B482DEA9967E3468274AC74B09620B6F2948D2494B9274745C8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A923-6356-510A-000000008A02}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A923-6356-510A-000000008A02}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.283{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A923-6356-510A-000000008A02}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.284{3A30D728-A923-6356-510A-000000008A02}824C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:59.039{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E30BED5221CF25F4DEA377AAE8FEDD68,SHA256=DDE2C11E94D5CFE90420CF043EF0F4F2253FA853F3B3B3A179B6B5A2656508AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:59.024{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CC5D3227ACF17DE1F3BEC65A29421AE,SHA256=E016FCC72E4B5D425CCFCD69F952EEEA60EB112E7C8FD240BD58898EF541B4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.552{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59EEDA4571443FD8B5C3A4E2247993B6,SHA256=255942B260EFFAF94EAFD491F9128B1ECD672AFC10F61C5DB28962E8F449F40A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.294{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.294{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.294{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.293{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.293{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.293{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.292{3A30D728-A924-6356-520A-000000008A02}32003808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:00.590{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97EF715590E3C6D09764EAAAC5C1191,SHA256=8B5FDBC48DA5028888F4FBF958F08794AC973A9D206221E576C42750021E4748,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:02:59.077{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60547-false10.0.1.12-8000- 10341000x800000000000000099744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.111{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:00.112{3A30D728-A924-6356-520A-000000008A02}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:01.615{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67596E52C319D754B8D6CD2252401009,SHA256=61948804210DB2A438B8FACC586DC8066F7C6E91264E2EF383A7029C0346198F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:02:58.851{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53725-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A925-6356-540A-000000008A02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A925-6356-540A-000000008A02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.768{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A925-6356-540A-000000008A02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.769{3A30D728-A925-6356-540A-000000008A02}3040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000099767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.565{3A30D728-A925-6356-530A-000000008A02}34722316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.393{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A1B415EA4ED377192D8C56F077C37C3,SHA256=9BF352D9CA49423FA43902DCE5EB8B283485F63B2F00652FCFF32EFE058AAFBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A925-6356-530A-000000008A02}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A925-6356-530A-000000008A02}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.268{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A925-6356-530A-000000008A02}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:01.269{3A30D728-A925-6356-530A-000000008A02}3472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:02.679{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94B8BDC972AD9696287788957A25583C,SHA256=F4C4BEAA8300EDA7A3B52ADAA20FFAFD237F36EF50C0F22BEC052C9819FA042C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:02.889{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=801AC557859EEF659DD6457056D5557B,SHA256=34CAA1BC9326730E20C824DF2F138ED7A8A655AF0EF88D0C86A67B03CA5D0890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:02.489{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15F8BA5315415860EB5DEC99561C952,SHA256=F34F9465665741BA12CA20CFB002524D7B7C3D285D965CFCF305CAF7D68CF4D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:02.002{3A30D728-A925-6356-540A-000000008A02}3040628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:03.724{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8A760AD4FE14C5ECB475B94815F4C4,SHA256=91CCFC2D0311E26B996EFB593660286CF2354094262B5554288EB22F8383A9DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.604{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.601{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.599{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.596{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.595{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.590{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.589{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.579{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000099806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.579{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26BEB626737A1BF696766428599D4A59,SHA256=EB39EED19AB2EA38AE63FF4C6DD348A29FE2AB25EE5EF4CC4D4A27B8DA2DF2CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.576{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.572{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.567{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.563{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.561{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.535{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.514{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.513{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.501{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.472{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.465{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.460{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.452{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.445{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.437{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.423{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.413{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.404{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.389{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000099785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.385{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x8000000000000000193875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:04.852{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE8E26D6CA77A046605DBA0EE540C83,SHA256=687C000B84734D91816796FA92A4A1A0C4CD0073FD92C46D64205E4112AD332C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:04.565{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E42DF8F297BEBEFB6A898A022FA72FF,SHA256=5E3A55AC5BC5CF48BC47639763AC1B5015D8B7533FDFF22C8D52B13EFAAF0B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.922{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.922{3A30D728-58B9-6356-0B00-000000008A02}6241360C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.900{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.651{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD97345A2E6502FF045771EFF3D96C3,SHA256=23B115D16BDB4BAE0D26BB1E789CFA93D852A82125B5F92E2D77E94A8D1EA289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:05.905{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0143122259F33B75C305AECE8E3A5DBA,SHA256=F2C5865AD0D767E41DF59768E1FE444495B83925E72278E6D5E73687BCBDCF02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.028{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A929-6356-550A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.025{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.024{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A929-6356-550A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.024{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A929-6356-550A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:05.019{3A30D728-A929-6356-550A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.958{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A20631252CE730F316EA1A8F961DAE24,SHA256=3F8FE9424D40FE35FF4240F00B83FEC1AAFB018526912C8945F2C7A63EC33ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:06.756{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1B1ECC1A82D86D65BBB588FBA5075F0,SHA256=4252C6E0E7202CEF2F26F50B3F2A92FEE44E5EFBE8A579DCD3BCD66380E4B864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:06.070{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E342DD62D7910B1E0B29103289F452D,SHA256=435E31644DFB053CCF328851C292B705B1CBAA6FCD9884DDCEF7F37837582762,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.802{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.800{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.798{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.794{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.412{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.401{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.397{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.381{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.378{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.376{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.375{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.352{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.347{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.331{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.326{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.320{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.312{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.304{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.293{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.282{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.271{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.263{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.221{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:06.218{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x800000000000000099837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:07.837{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A1F55973F84E6CCB066BFD8D5EE336,SHA256=996416FA037F93AC68322CEA226945A637D9D2BB72FC07E1B82D437DA03282D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:05.090{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60548-false10.0.1.12-8000- 354300x800000000000000099836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:03.906{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:08.930{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91A19AFC415E394251345D2B74CB265,SHA256=E004FEE25EC404E6D3F01471E29227ADDC5C455FEF98078F1C76ADC51B7C6F24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:08.815{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:08.814{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:08.808{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000193903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:08.009{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480A4DE3D0F5AAA0556627BE3F8FC469,SHA256=49528CAC0D0646476A30CB8A8CFC934C7A0227A4109FF852A46852415F3B0CD4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.551{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.549{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.547{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.544{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.543{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.536{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.535{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.532{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.529{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.526{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.519{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.518{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.517{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.515{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.512{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.495{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.494{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.494{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.493{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.492{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.491{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.489{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.485{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.482{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.480{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.477{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.468{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.466{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.440{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.436{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.426{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.425{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.425{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.412{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.402{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.370{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.364{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.355{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.350{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.348{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.345{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.341{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.339{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.338{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.334{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.333{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000193908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.331{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000193907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:09.086{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7221C100D231743D366F9AFCC81814,SHA256=BB3EFAF7C8EFC544AAE76C86E465B34EC9E1F47ACCD325059AACB5D64A2110B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:10.492{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0AD205CFB363984AD11C007BE38BFF,SHA256=DAB5FEBFF458AC15149C35701092CF865351C658DB51EB9D49D4358CF5CCA999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:10.009{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B98EAB6850DAB1F408F8E9CE7FF837D,SHA256=EDB8C794173D9FEC7B1774709B414AB4740EE13AAE1BFA25127369DB23DF82A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:11.569{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1635AD372C653447158626EE0B658FCB,SHA256=7006D98CF6CD6EEC7B7093B5555556951D35FE21D893BD0CF27BD4D641790849,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:08.906{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:11.116{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F36CA913534FE5AD4C304254329DB9,SHA256=68FA6A5B4571893AA4C5B636FD3B76FEBF4428C6628803B37BF1E3AEE2C28667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:12.602{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4495EF644E837D570AF94FE1021560,SHA256=D729DBDFC7982AF203368511675E31A77EA957A41C13044A0471B86B7805EC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:12.207{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C583AA67A95030D5673CD4D6D2CE5EA,SHA256=46E4FD3D6B60E14B2F0A4879B40A637A4603F29615B1C922EA0747C5BB6BAD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:13.641{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CE3EACA609D38FA4F2C9E71A57A400,SHA256=B5DA545A97A3E9C4CF61FBB98640786AE3BCDE864749E86114916551BAB131FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:13.289{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EF7E540052D6ABBDF72E0572307A8B5,SHA256=F7F32B8D19CFFBE25B65DBEBA7CD77A255ED30494D448C668DFEC8B88A0BE468,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:11.072{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60549-false10.0.1.12-8000- 10341000x8000000000000000193967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.726{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000193960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:14.674{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6103D126AAB5C12342565059B3EE2B5,SHA256=4E349B7142FF1727EDFDABF4D49A0F257291E58F40BF482B6EABEA74414F2DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:14.373{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFDC15F3C498EBF2A93758C185FEE88,SHA256=DAB3B8F7DD05BAE754A13743A6EA8A775A05AEEF0FBFDB3B864983BF517C6D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:15.722{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6D3ED9C46A3A2B8885DEA5D6592B51,SHA256=BF490B5920FB1A7026A77E6856F6817B22872ECC0B9406F580A08CE2CAE79DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:15.465{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2014961800A0EB8A7DEE92FF4E5241,SHA256=11FC46AC147ECC0CE2CCF36DB4D9D8330568B025FEF87C00FF25E3E7261F4EB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:16.807{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084421DBFD3CA1AAEF07BF0A49480F71,SHA256=3E2490015D5C3571FCA0B386E893BBE04E320EF4AD55A47723CFC9ED73D52075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:16.560{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07245A5AA33FCF35B910793E0EC07078,SHA256=97413B0A088E26AA6BA1CCC56F659FD1F06BD4E896449950AA1CC563492E023A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:17.923{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4478748835D50EB3C8480ABEB2B6BE99,SHA256=CC529F6437CF555C7C649DAF084503F06DE3BF7A277407B9581241482D6DBFF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:17.957{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:14.890{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53728-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:17.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423F327709339A0E45A090506B7768EE,SHA256=D06B19D769201C0E6A5EB20AA278D4A5B715B683874615766AE4B88E25CE99FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:17.123{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:17.123{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:18.729{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E9024F15226C7C26873B742633CC83,SHA256=C1AA207083AD3923DA4707D553DF19708511CD35A9B4D95119FA12F3E7286497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:16.949{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60550-false10.0.1.12-8000- 13241300x8000000000000000193973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:03:18.494{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e7b9-0xc0142a7c) 23542300x800000000000000099852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:19.838{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851A4FB432F996BF360B092DF77B6C54,SHA256=A207F46E53234ABC6F638DFD11DEAA27A72B0A587BD7180A151557B65251D7C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:16.650{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53729-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000193975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:19.008{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911D49CB2CF914845181A9744575D4BD,SHA256=EC3F18EC2D7276DEEDEB12AE37C9DA70F4279B1E091AC3FC7389132D5C8A3DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:20.816{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E812D9E91BD7885EC2BB687791B6CD78,SHA256=25488A3F33DB90DDAA69A14356715412F8E3E42D93C0A9AC8728531D609477A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:20.092{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3520B397C4BC18914CD47F58A87E9963,SHA256=5BA44173DB73819709AE1410F6F6CECE0728CF2BEE0DEBC2BF4A7563EE579106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:21.895{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127314797FED4C717ED4F89F88217DB7,SHA256=07147A8532B89D2F2D32E965A9E80A5714DA9C96098C1A4399A9C97CEA1A94B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:21.163{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DD285AB9743CD0212AEB8B1AD132A5,SHA256=8B2E7D0A0C8996E77D3D91FC417A2CDFA1C999C26075B474CBA30180ADCA80CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:22.986{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD63C4C2BFD79F61E19B9C4682A6EA9,SHA256=7BD9CD0D96FA964F94C26004F0264E525C5B6D2B90061F981C3290ECB2278B9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:22.864{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=0096570D4EB229DEBECED82AFD040868,SHA256=D0F0F30E987018C33E3122ED239E109F12084C3E97FAC28BAFDEC52B5EEAD6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:22.263{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5058E223813A3B709D12AD02287FFEB,SHA256=89F537A5C2977A6164D139177C851702A75411A7C6D0CD85BE7FC7642D10F532,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000193981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:22.121{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60551-false10.0.1.12-8000- 23542300x8000000000000000193980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:23.365{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB920F810A353B5F954C06BB501F47DD,SHA256=E9D039A8534AC814E5B50049171A59EAE92B0A034AF9412E81A05ED1AA7FD593,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:20.807{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53730-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000099884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.600{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.598{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.585{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.578{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.576{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.570{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.566{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.559{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.554{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.543{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.540{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.533{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.532{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.524{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.514{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.486{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.483{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.471{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.443{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.436{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.427{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.420{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.413{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.404{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.398{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.392{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.385{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.371{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x800000000000000099856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:23.368{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 23542300x8000000000000000193983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:24.704{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF14425a0.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000193982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:24.415{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB72BD2763B6DED66257FA1D217D6F78,SHA256=1FE81E282166D4CC222A7829AE85AE6024BAE85D8476FEDC5110FE78E37B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:24.278{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC9B9613F4F97F26C9A3C5FF0808AB19,SHA256=1B193116EFB4D10C7F2CB2DF36CA735B85D89024877F9CAFA9C84452060B4CA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000193992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.936{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A93D-6356-1810-000000008902}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.931{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.931{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.931{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.931{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000193987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.931{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A93D-6356-1810-000000008902}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000193986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.931{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A93D-6356-1810-000000008902}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000193985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.932{E8723972-A93D-6356-1810-000000008902}7068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000193984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:25.498{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D28F667499CCAC1F421CE62DA940820,SHA256=3B25AB7C9F99BFABE485F7B0AA1B6DD99600E842A472DA078629EEFF4396A52A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:25.365{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D189452B6D9CD2DE99135ECD488FD519,SHA256=8D2C0EF76E5136209338C68FD5481BD651373A53CEF9D77EBE0B6D08521F67EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.934{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-344MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.856{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.848{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.846{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.841{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.605{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A93E-6356-1910-000000008902}8200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.602{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.602{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.602{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A93E-6356-1910-000000008902}8200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.602{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.602{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A93E-6356-1910-000000008902}8200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.601{E8723972-A93E-6356-1910-000000008902}8200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:26.467{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F960D3B5D885A50004CC23EC3B173AD1,SHA256=3CF1450114999DB494DE90E55A3111BC9BB90B17ECF5B8123ED784061D11CEEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.437{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.426{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.422{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.415{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.413{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.412{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.409{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.375{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.362{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.350{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.346{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.339{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.331{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.323{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.313{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.306{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.297{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.290{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.244{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.241{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000193993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:26.098{E8723972-A93D-6356-1810-000000008902}70688300C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.933{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-345MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:27.558{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8735CEE5F54A32613FC209E64FA87F4,SHA256=D4234E3F3234BF4D25419FD220B8572016F42F1283917492784C332838C88A15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A93F-6356-1A10-000000008902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A93F-6356-1A10-000000008902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.283{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A93F-6356-1A10-000000008902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.284{E8723972-A93F-6356-1A10-000000008902}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000194032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.115{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000194031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.115{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.115{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF1442f07.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.031{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9387590D3843923E375684AE02FBB543,SHA256=2127540BAED9230769FB6D967E5345972CF89A8B536FFD8097A372D9ECAF5587,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.031{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BC19D09663DFDDDCF284B22A6F1BAE2,SHA256=5FF78A8A309309C25739993A2D15B2430F754AD5F6FDD12F8F0187A301672528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:27.031{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2CC91FA7E97FF34C47A8A09F6F128F8B,SHA256=872262B4C2CE9C583F7048E49CC259A54218D3EABFC9F3AAFCC8B2A3B4186FC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:25.911{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53731-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:28.640{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2932D8AF0940C292B95FF0A55BDA6E95,SHA256=0E455E9DD5888B26AED7A1043E180229A7469001ED93BE58C634DCBEC6F51CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.892{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.891{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.885{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.728{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.728{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.727{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.714{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.238{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=58BE9B635929D0A5FCC29DC15ACFA057,SHA256=6484347A8A5C1B323BEDE3B8732BFE1E9485FE437B0930D1824E82C49EA6D37C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.132{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9680F7B40B97BEC24EC994F57E42911E,SHA256=F26A7064FA00CF1DF660FE2562439280797F192FA95851C99E3D39F0FD519F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:28.507{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-334MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:29.713{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ACE1373E319EEE14980F0FFAA36A85,SHA256=DEF8129E6FC73C94D0AF8086BC3C5BD0FF5BD42B2084161D05315C39E6B129E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.644{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.643{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.641{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.639{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.638{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.630{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.629{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.626{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.623{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.619{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.617{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.616{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.614{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.613{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.608{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.584{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.583{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.583{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.581{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.580{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.579{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.577{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.573{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.570{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.567{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.565{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.557{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.554{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.528{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.524{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.513{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.512{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.512{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.487{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.479{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.446{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.438{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000194062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:28.104{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60552-false10.0.1.12-8000- 10341000x8000000000000000194061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.428{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.422{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.420{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.417{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.414{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.411{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.410{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.406{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.405{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000194052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.402{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000194051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:29.017{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=199C7A278BEEB780EC929873C0548BEC,SHA256=606FE7B99459BA7EAA651EE7201DA9A97C23FBCE224C46600E343532F6CA43DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:29.517{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-335MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:30.805{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFD4999D1169F86BB2EACEEDE3CF371,SHA256=228CA4D75887C76847288746500E6311DCC9631418D2CDF312811AB93A22A529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.639{E8723972-A942-6356-1B10-000000008902}95523140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.591{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.591{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.591{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.591{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.591{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.591{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.474{E8723972-A942-6356-1B10-000000008902}9552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.471{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82685C502D42E693EFA09FE5164A8B86,SHA256=8BC30F70065B203660FEF2ED92E8575DF1B563AEAF942327EF3BB885F43C8AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:30.070{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=509253C2159B6B8AAE6CEFB639638909,SHA256=3ED228271502B3BFCF7BC935A7A7DECDB60AA9F3A6FF86F66008A3E4F9739251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:31.883{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96C2293B826222E4D4668B8CB530FBF,SHA256=EDFA9BE2F5ED5676E6ACEB3AC0F1CC465322589A5EF1A11278F09DCDAC5BAFE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A943-6356-1D10-000000008902}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A943-6356-1D10-000000008902}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A943-6356-1D10-000000008902}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.836{E8723972-A943-6356-1D10-000000008902}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000194126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.372{E8723972-A943-6356-1C10-000000008902}57609764C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A943-6356-1C10-000000008902}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A943-6356-1C10-000000008902}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.155{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A943-6356-1C10-000000008902}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.156{E8723972-A943-6356-1C10-000000008902}5760C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:31.087{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3AEFF13C7A51FF88D8509518AA9390,SHA256=80AF634D909901CB86FD8E8E02AE778BB240EBE485183EC8B195FA3B1AB1CCEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:32.965{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A859F3CA252C8163F85136E64559B707,SHA256=3AAE1370A938F8F16C19508C8312BF483E7CC849CDB53C10BB87ED110450E35C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.921{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CF632B32DA1E1E6C2A98A2B3BAFCF38,SHA256=9784A474454ABC461ABABAB4C328677D12D026D3EAFECC2D7A4CD6A2437B5B7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.621{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A944-6356-1E10-000000008902}9124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.620{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.619{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.619{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.619{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.619{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A944-6356-1E10-000000008902}9124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.619{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A944-6356-1E10-000000008902}9124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.617{E8723972-A944-6356-1E10-000000008902}9124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.188{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99D89BD2AE8BFBB3AAC6FAE5F610398,SHA256=BDD5AA6359CB123A2F6ED434898851009889F6169116A8476EC6120EAEEE0DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:32.129{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FB3EE7F71941F0B9F6C27FAE21E89434,SHA256=BAAEF3C3225828CD247E6CF4C57A67DE809820E577D6D1319BAB30440FD23084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:32.041{E8723972-A943-6356-1D10-000000008902}79928804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:33.288{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552C5281BDCD91FE8AE5472B208AA106,SHA256=2662475B1EF4D7CB3CE125D3B8DCB0C9121040A2A217C07D71CC3000501A48A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:34.390{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61685E49626C8AF9401F3993FBF00E2D,SHA256=D3D8582A2988F4DAE3597834FA9D467BBB0C8975952C46A4F659A0BD39D1B524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:34.037{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DA5C63CD4B8BB9153311DDC6E8142C,SHA256=E2721C58E4384CD7784D0F330D1F24E383292AA7765D9CA6D609132C80C9D0D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:33.994{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60553-false10.0.1.12-8000- 23542300x8000000000000000194148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:35.490{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24EFC7F9CE6067D5FBAAB15FD2821DC,SHA256=CB2E4C551D92F6AADCD66153D4F9ADB3BB37F8FEA4B987F7F2B814B90D4D3C62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:31.799{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53732-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:35.111{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461102E569CD611382CE4C235DD234A4,SHA256=EA6045BDD6732EDC48EB59B9BC3A409212EFF133CC2AEB78CBAD0671F057B52D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:36.594{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0EFB4048A5078BC18A8D9EDE20AC15,SHA256=16AE0F4719F1F96684E649643378349F49D6125D9230AAF5DBDD4B1F26EFE174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:36.224{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A67D75E015A806AA10A47FFAC23141,SHA256=A333D22F0D179658F5B2790039A7037FB45EA9DA377DB59A4203726B2C3F933C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:37.705{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0673F961EBD46B62CE8067F6A9FE987,SHA256=9639C9C27E31D37BDFCDF22A6E5A1A3437979EBE6304B9470AFE9E13993D271D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:37.306{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3317D0259A0D992A4D18C897D92C45E,SHA256=8961BB1BB1D9A0A2305AC153DF9F946FC303812A61AE5B324E6EE287324F0899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:38.404{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBA7CC4C5D54314ED4F10136990A3D7,SHA256=AC1478F1A618E79C4C1B53A1495C3B09275400A6D8BF8D1DED1303CC72B18161,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.624{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=45859E7784188665E7C4BE2CF6E0D504,SHA256=CCF8BD7E41ADBE8D0276D83C324D60479E5F35F00E77D8D09C6B5DF3FC64D96D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:38.391{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000099905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:39.486{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D82D819C27D10D14E6AC25D83FC4984,SHA256=AD3AC954408A14AEE3F4B7C7A3A90BF3B182B2FC98E606CDA04B1134641835B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:39.040{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0358F81EB5B4D4C5FF81A91A29621CB0,SHA256=7EF109333A88B3E028B703BA098A38E8E1C3A7FB404FB10C46696BED200AD776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:40.577{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C61F45858941A74EABB9F4028FA21F,SHA256=052D2F39D83E6EA382C26198A86485C381CA82DDAFF338223B9E0C19AD3B7057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:40.108{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48F78E701A4B7C2C1D43067C5C6D4CCA,SHA256=F8E699CE47B9137137463E1C75E2EFBB6D74918BB49703C247649BF3E3E58C19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:37.831{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:41.663{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAB9086FF0BCF91CA5481831C6CA115,SHA256=6AF6B8444386C6DCD65A6769A7A2C053F1CFCEE0C007B07CA92CC48B8AFEC0EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:39.950{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60554-false10.0.1.12-8000- 23542300x8000000000000000194192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:41.209{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6DB5CF26302B6B7408BC27077516D5,SHA256=9E56066C7AB7BB25F3D0C6138BE1CE178043A64859EAD501456A439D3EEE6711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:42.756{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF1949211D0E5706E95DCB2A9F94FBB,SHA256=646B7EB84A891B6CFB6B503C857D3230880BE07A85C620400F8AAF2B70217BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:42.310{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A3591C038688A0494583BFDBA9FA33,SHA256=385178FCDF1BC1A379BB5B0431D60AF4568C5B4476E1380C3BF83FD9D7537719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:43.397{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F73044354B504887E464AA4AE45A62,SHA256=776D8A8181E3243F2EB1A87B1924AD6A7462EE2F7D8239EA89D9C41AE8648FC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.539{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.536{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.534{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.531{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.530{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.527{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.526{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.522{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.521{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.518{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.516{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.512{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.511{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.498{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.489{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.476{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.474{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.467{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.444{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.438{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.432{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.423{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.413{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.408{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.400{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.394{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.385{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.376{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x800000000000000099910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:43.373{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000194196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:44.497{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E993DE75447FD5D7B21D7CDA248E909E,SHA256=1D085B230B5C4180A7FF9080B314C620EB84932D4D47E018606DDFD4F73CB400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:44.048{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAE00044B803B56665C6155721A0179,SHA256=832EE2D3334CF6D86EE0F380CEBD07DD22A50B70D0327FEE2F4F774A697103E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:45.616{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA2E790A846BED0CCA3094A8D9FC713,SHA256=000FC2EC9E2BB1A0EAE96AEBB68F553924C6F299625A6E2557C99A9F5BF19505,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:42.866{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000099941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:42.268{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl56003-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x800000000000000099940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:45.141{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D2FA823C8684A48EAADFEA95856E1,SHA256=D766890B731B72380A33A333C8881442B2A7CCFF9071216E5E415271FC1BC2DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.839{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.837{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.835{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.832{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 354300x8000000000000000194220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:44.972{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60555-false10.0.1.12-8000- 23542300x8000000000000000194219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.682{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23061D49F2FD933E1C0FBD2A7A2C24CB,SHA256=2A83F7678619F473537C284ED9171E372D56C0C0AA3F462C10B80A3E2E2F3AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:46.234{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C86DB8A39EBD50660A3660548426C7F3,SHA256=E9A23C63EA782EB9891D8130A5B9C3A643C2E7D866BB9A87D455EDE451F9D9BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.389{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.376{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.370{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.363{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.359{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.357{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.355{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.347{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.343{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.338{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.336{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.334{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.329{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.321{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.306{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.299{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.287{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.276{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.257{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.233{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.230{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:47.784{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17268F90127A874B6417205D37ABD6D2,SHA256=D9880DCC0A3B363307739AFC60B39FB0701776E2DA00E507E9B234B0C45F203F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:46.130{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60556-false10.0.1.12-8089- 23542300x800000000000000099945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:47.989{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=385623F015A501B46DA42AACFEA1913B,SHA256=8BB7829B45B841C4724D8E18DFB86419E12921BA94DD933AC3C3C6EB9C507D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:47.323{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE5DEF902B4FA0F76D05727626A38C2,SHA256=C449B4051B25BDC3DC263D812F2641F53A7990B33948F1D0F710C6720A88E918,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:48.892{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:48.891{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:48.885{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000194227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:48.785{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30845540E501F950397022D756149AB2,SHA256=98F67BB8D7BE5758255C85ED0AACE5195F0E7A480645012E7F6FF9A737FDD91B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:48.408{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D555499F52C96137D600C56DD940E41,SHA256=E5940743CA7E12556837A8AB827706AB2D144D4A0011B7903ED21D4FAC867354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.948{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87553BC0C77FEE755A5A87540C9F70E7,SHA256=4AAF2C64FEFB72A6D532F64D9E2054349DF2D173593A61678105FFC9FF4CD14D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:49.502{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348D135D8A081A41022D999E2F5E4C39,SHA256=8F6BDCF6223E3BE64C6BA0B077220FB47066FFD49328EB933B9874444A458795,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.642{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.640{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.638{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.635{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.634{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.626{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.623{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.619{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.615{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.610{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.609{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.607{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.605{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.601{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.580{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.579{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.579{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.577{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.575{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.574{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.571{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.565{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.560{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.554{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.547{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.537{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.535{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.508{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.504{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.494{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.493{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.491{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.477{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.468{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.438{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.432{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.423{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.418{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.417{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.414{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.411{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.409{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.408{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.404{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.404{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000194231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:49.401{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x800000000000000099948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:50.582{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B74048EECF8B31774A565FD2E93815,SHA256=39E9BD869A7BC9A871AB4AE50B9CCA218C46139733B8A5BE8626EF791AEB0A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:51.677{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79997615812411D63F81728A203F6ECE,SHA256=D980E23414C7E731E1084107879A0C5EAE80EBE0C4BC6D5BC6A1D40A3D2D2A69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:50.138{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60557-false10.0.1.12-8000- 23542300x8000000000000000194278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:51.033{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD2169C0171E9C8A7461F17BBE97143,SHA256=9B34ADC53633057CE075F37DE9C91085B3EAB52EB57676A0EA108D4F02C14A2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:48.793{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:52.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7196D1418C109F5D39E6AE523D41DBB9,SHA256=BEA3FB1E76B74DC9D849F393F8BE91A57EB862FE9F20A11949BB141984A2A4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:52.134{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B1AEEF8734BA09D502D7604E37A361,SHA256=E09443511C9996724C13A21051584D9E9D955AB01F7F98BFF394F7BD830A7468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:53.858{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D39A6D458A5FAFCDBFC88B6F5F1F0C,SHA256=DC5B6E648DFC119D7AB2586EACF9A84EF6FAC5353FE280CCECFC55E75B20EE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:53.235{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A3617E01E8FDB80CC1C4BFF2396CEC,SHA256=68193EDF33918FEC8859ECA485835AB70CD7E62E58EB14D840FD2599915B490F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:54.946{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDFF0465F68EE5E3C500FEFBC6D4C67,SHA256=F8F4F50A8A731BCA28EA061E7C78E09BF90A44D232A08FD3A4069709103733D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:54.337{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC8EBEAA5BE082911BD6F121FD273D0,SHA256=3C0F8A590047413C9D9B54A47FF3AE0B00646CD841423D57BB9B6E029DC8C7A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:55.421{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E04998A8142C12E0502D71F3006A147,SHA256=7FCE4926C4203F2EF84E01B974FAFAA7719289797D64FAADC58B140492D44033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:56.539{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3455E01B5C5A92B069571D2F975C2995,SHA256=9C17C040DD08118A4C26BDA8A2EA1B47E3350555E051A7543AF1D17AE7BAB9A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000099955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:53.907{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000099954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:56.051{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C2C2BDC7BB0AAF7D7183AB88710040,SHA256=3005BF1FAFD20B2121C6AA364C238251AD53230D475EEAD6DE49BF1D81ACFC0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:56.106{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60558-false10.0.1.12-8000- 23542300x8000000000000000194285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:57.626{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12AED5D7A87AD103131325244729A151,SHA256=79DC899902467FFD2D70781FFEEA391EF74AEDC297061D323CBD4F8D052AD0B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.954{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.955{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.892{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=970D0498F5B7426C025A29C72E6D786D,SHA256=85702BF067C6063D50150670CCEFF20B7F1C207497D5AE875AAF16C6132E81A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:57.130{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E90EBBE72D4F9B895F38A7101BEF18,SHA256=9B2533F8D5AE14079B02ECE3EC1CA88CBB0FD65B1510FDB582CA65923F94042C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:58.680{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA265ABDB6685F1B4B7A45BCE6868D4E,SHA256=713A643E5DCC8E12FE862141CE851EADD051340DEEE4EC0E78A987D97B5409A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A95E-6356-570A-000000008A02}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A95E-6356-570A-000000008A02}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A95E-6356-570A-000000008A02}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.624{3A30D728-A95E-6356-570A-000000008A02}1704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.608{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4AB70A8361EF6FDDB4FEDBF0413C2644,SHA256=88FB3FDB17654DC3B33EBE8A6B9762ED7005C8B27DD4DD1CA1505E07E9E1C4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.217{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AD1056768FF7C0527522833D2F07E3,SHA256=5E2307F450B2ECDB67D144DE7124B701BCBEF5712E46C7AA9AE6C268013B9DCE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000099977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.169{3A30D728-A95D-6356-560A-000000008A02}4283356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.103{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.103{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.103{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.103{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.102{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x800000000000000099971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.102{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A95D-6356-560A-000000008A02}428C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.228{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A95F-6356-580A-000000008A02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.225{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.225{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.225{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.225{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.225{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000099997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.225{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A95F-6356-580A-000000008A02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000099996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.224{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A95F-6356-580A-000000008A02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000099995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.223{3A30D728-A95F-6356-580A-000000008A02}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000099994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.201{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF12EDA549311573758151A931E29A7,SHA256=F5450D29BA1602193629F905C5350210E82C2DA7BC44765F8EB461EFBB3271D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:59.781{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6640DFD9DB5321A7F170C04C2B8C9CC,SHA256=F8195F6F657E6E83E7680B4A36FB50E9D04E3D08E758430BD7158D4B2A7129BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:57.882{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60559-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000194290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:57.882{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60559-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000194289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:59.293{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AFFBDF569A457C5098202FF51346544A,SHA256=F2CCD608E183729483540327B13DDAD047A25AD4FC11328F1C1BD4BDD215A628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:03:59.093{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B15B0A3BBD277CC566933DBFD62D89C,SHA256=2040306FF8D6CE5C8E01220DCF7519EA00E17F61D5DAB4487ADDD4DD81A84D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000099993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:59.014{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=177754C15BFDA716E7476775FCB78C7E,SHA256=4ABEFFFFA6E008068D4968B336A0477CACA8EDCC171D81E181C1FDFA6291C45F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:00.782{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8006965C0FDD75C342AC1A83444B97,SHA256=73CEAAFBD7D8782DD1E5B8FF8672124F0EC0C6221D134D96CF03DF1D8869713B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.791{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471DCBB4B8D238F3126F9E9DC8A202EF,SHA256=9319BB932A3A6B729305163AB5130B8C46E390B2B8A33B2CC62B472BFDB265B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.296{3A30D728-A960-6356-590A-000000008A02}38361784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.266{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.266{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.266{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.265{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.265{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.265{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.113{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:00.114{3A30D728-A960-6356-590A-000000008A02}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:01.880{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BDC29112F8BDD0DB47B9EF88E69C04,SHA256=EA8FD0C77CBBD6655D29F3063C9CA8FED2104B126AFDD606F83E87039CDA7E79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A961-6356-5B0A-000000008A02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A961-6356-5B0A-000000008A02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A961-6356-5B0A-000000008A02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.935{3A30D728-A961-6356-5B0A-000000008A02}2736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000100044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:03:58.915{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000100043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.450{3A30D728-A961-6356-5A0A-000000008A02}25443952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.372{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD216771FA677B5044C1C34C8DD7840B,SHA256=3A5E8A8F13B79CE59630DF0EBAB6F6D1AA1E8B98EFD006916903FF7B3009D6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A961-6356-5A0A-000000008A02}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A961-6356-5A0A-000000008A02}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.263{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A961-6356-5A0A-000000008A02}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:01.264{3A30D728-A961-6356-5A0A-000000008A02}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:02.996{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD64A7CCD285ED4D9EE42DD1057C85F9,SHA256=23B6C7B2F0690CF05498EC96D96ED763B4C65ADD3F4B88D0361D3F761E3B16CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:02.980{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=98DE31DB632CC545893F83B1316A3194,SHA256=457878BBD63896B383FE4BD614E2D8253056BEDBCA8BB2EC1A9362FD631CAD97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:02.462{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB61BC247EEBC7C182DC7D239B083C4,SHA256=74DA65A65E44EEDCA40DF4A55D795F8A6429BA981C0823531E07E71DB475773E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:02.311{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=74DA87EB8B9CA0FF0228F1D77AB6A527,SHA256=3A487D401A7EFB780791DCDD65D064EDBF0EFE5DA1ADDA0E5A569AF67EC0B889,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:02.122{3A30D728-A961-6356-5B0A-000000008A02}27362776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.586{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.583{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.576{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.574{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.573{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.567{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.567{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.564{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.563{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.560{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.556{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.553{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.545{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000100076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.539{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21DD30AD79C7699A5C56B47E7B704B0F,SHA256=C0D0D1A3A4ACDE859D2B23AAB0532CB2B8696F4DE422D10FD96037E8639C4FCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.533{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.518{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.516{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.504{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.477{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.469{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.460{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.453{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.447{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.437{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.422{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.416{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.407{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.389{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:03.377{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000100091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:04.505{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BAA21BE9A83E81B593F03D04D44D1D,SHA256=7C533D780AD0ABCA31968F295348D4E97CE7020DFD19F128A122C6534841FB3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:02.085{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60560-false10.0.1.12-8000- 23542300x8000000000000000194297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:04.081{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FFE4298A17C615B45876F0B86E3328,SHA256=B00FD3563F489C3BC0787141CA894D082EC207C9A1979C6C8BF567E2FEA7D228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.926{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.926{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.925{3A30D728-58B9-6356-0B00-000000008A02}6241360C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.601{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3F5570E2AB65A006CC850F82891226F,SHA256=3DB62BED61434373B2E39DDE12158806ED2B3E87F22534E02D64E4668CD5BE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:05.182{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E73B5EB17374347FABE328C9DC32E149,SHA256=1F49C636394D1B3D162203A8AD2DE5E25F6F7BB22C1501E2C48EF05AC349B765,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A965-6356-5C0A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A965-6356-5C0A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.024{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A965-6356-5C0A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:05.025{3A30D728-A965-6356-5C0A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000100112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:06.920{3A30D728-58BA-6356-0D00-000000008A02}7723908C:\Windows\system32\svchost.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:06.686{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0755683B462230A9E0E4C6AB2B961338,SHA256=01D518D8E426031B520374696AA60E37416DEF23EB6AED3507E89B48D18185CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.888{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.886{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.885{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.879{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.459{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.446{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.441{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.433{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.429{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.426{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.424{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.392{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.386{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.368{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.363{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.355{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.346{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.334{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.323{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.315{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.304{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.295{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.266{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A150BBD143E86BD60AD9619E7BDEB443,SHA256=DD111CB574E476A2E9B18FBDF90C4C556CF1A613A72EC336703805BD891B4FAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.232{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:06.227{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000100110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:06.119{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3B1492A0D9ED3DE050FA9EE14085A4D,SHA256=4AD849788D47A2877EB63DF59BAD00A55A40DC9E4F8BDC6FCECB91727044616C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:04.733{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53738-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:07.778{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E695A486089423FC14953A32DC693A,SHA256=B1987836A8B9177A4BC1C35A1DE1C4E0512315CAA4F29465BF1A673D0D135706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:07.314{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0EB3C980F83661F3FD376B4C2520952,SHA256=28E34D793C62ED4361AEA1CD9EC05993E67A1934D9E5E324A22ED18A5222B267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:08.859{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E75A7F581271DB11869ECE6FBF9DDA6,SHA256=64CF4E7AB3AF4AA27363CF9676AA19D769572931862F972D0970225CBA8DB871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:08.912{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:08.911{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:08.900{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 354300x8000000000000000194327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:07.120{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60561-false10.0.1.12-8000- 23542300x8000000000000000194326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:08.417{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDE0F5EB37F120F1CB309EEBD1DC7B2,SHA256=FA2C60776019F899D6D3783579465C5FE6C6458E368254C9D4346ED719427FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:09.958{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2D0079DADEBE64693B32F27C4A23D1,SHA256=713B8DAF2BA18E29818696267AE36C8515135A187BB0CC41D633F78B10577379,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.647{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.646{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.644{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.641{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.639{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.631{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.627{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.625{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.617{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.615{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.614{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.613{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.609{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.606{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.587{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.586{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.586{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.585{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.584{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.583{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.580{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.577{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.574{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.571{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.569{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.562{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.560{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.536{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.532{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.522{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.521{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.520{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.507{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.499{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.488{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0CC46F6AD36C15C2D4438A5CFFA03B,SHA256=9803003BBC8713E870036A6A5934146623CE3D3CEA86187233F801FB3882510B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.470{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.464{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.455{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.450{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.448{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.446{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.443{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.441{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.440{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.436{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.435{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:09.432{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:10.707{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A5206A0CECA3DA8CDC2A57A58311B7,SHA256=F9D93821EF03A21DF013B1EFAABA7F956E49E9D3A7E44AAAE894FB7064B9D586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:11.817{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725598B07C53ECD4DF439636239BA78F,SHA256=19506521BCB7C94C4423C8F3624987D74783465E573602023E8A2AE2615012D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:11.049{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC677351726CF835443D09378380B27,SHA256=F80C7E0F1EEA1E34C9C5FC114174DEE959607215B7DA867806B36163E8E1DAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:12.904{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFCF391E8D99C947C53BEFC78AA4BEAB,SHA256=C66ADB2383FB224BB0D1E8FA52290852DE27EF86CA776DFF7B686034F5746281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:12.135{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11D404FA22DAD39CF24E0E50B02D5A1,SHA256=FE6126677294E2F46D718D48FFFF44F1A19C824D74112040D9AD0A9D4F0BCAD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:13.988{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC6CC4FEB52D6F95C7284DA8EF2E008,SHA256=617E76A2026BA90888E789C67D657EAF25062E9F8815AFDF59E24C13A4870F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:13.211{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D258C411891C2ACB4F9A626984FFEA3,SHA256=4316B376F5E12C169A5F41ABA1C5C0AB49C0705BA391477AA51FB17FD2824A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:13.018{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=411E3C0619B0633618FED016CD1B8F6C,SHA256=0BD965D08F65AA5BC3B54280B72E9017E94D49754DBB1E7A03AA227C8C1E6497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:09.820{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:14.308{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9689240D938E5B89F5B720A27E85C4B6,SHA256=2BEF87F372A6EC51E381308ED9E9DD9CDBC2A2EA2CB8D809D226332984DF9198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:15.392{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFC1C47840BA28C3675154712C89CD9,SHA256=212FD04B113CFE6DB1933563C5CBC7863A58C87A4FAFF53EE950E15071E74C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:13.056{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60562-false10.0.1.12-8000- 23542300x8000000000000000194383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:15.090{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=333848AFBC8F8D170B1E76E83F807214,SHA256=1FD6F56EBFACC20E0CD9582222C37C80AE5B8039002725B3E5395B88CAAFB867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:16.466{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339B6DE8A77AB6E96B2BCF03494D764D,SHA256=668692A9B6D85B8E116C8F29D0A4BC57FE4A4DEF2DC9FDEC0E0B002030644D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:16.170{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79DB441AA606382BCD672EC462D034A,SHA256=DB9964A3D96B8E579035F188C6F36C891F34716FAC1BD2FD494217A7F9A14C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:17.975{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:17.540{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE4A8A94C8FCF66B8AF1EBD8DEF1E61,SHA256=133C074C528B985FD4641D1B514B837CFD0B49DC5B7FD510AE9A18FEF11C0E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:17.254{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97C686C87D5D8077B39AC8BC140D8AE,SHA256=0C1405BFF0333D3DC86F9A27D0F456D28330B69BA505E45F2CE5E95A7F06F112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:18.623{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB5FE3E6CC63CC0806B8F593A32CD8F,SHA256=20E0DA84980145816D8376F32C3793E80CDB2BFE477D4751CCD94304B7F75385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:18.354{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=946E88B929CEC0ED287B3EA8EDF19C9B,SHA256=E0266FC54B762154C0F95D6185A3B54E010EEC08D32F0BF2DC5EDCFF13E06BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:19.725{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ACF35D675BE53CEC05B504157F1DA1,SHA256=6AAC970D8602548A0F7C3E91EC0C06786C653C2AEB80D4AAB9119972250BE91B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:18.127{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60563-false10.0.1.12-8000- 23542300x8000000000000000194388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:19.422{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A313BBBD7F723A9DBF6E69068E18C34,SHA256=CBB227A27284B0F2B3122AA191BDF31A0B0CAF1CB14AF81E365F9919C961CD11,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:16.652{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000100127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:15.830{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:20.814{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F883B819A98AC526428C278C9CC3625,SHA256=E10D966B4BE80022C104E4DD5ADEA533D26F66982646A719AB64DDAFA9080698,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000194391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:04:20.756{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e7b9-0xe53093fa) 23542300x8000000000000000194390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:20.508{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4378225B159E6C7B42F3279F33AF0E0B,SHA256=A5715462BB5B7B8F6ECE1BF1E18656B675B0AC0957770979199F13FE86D764FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:21.916{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=275545B1A7A14467C5D22A377577532F,SHA256=D90FC783CC7233704B6020E089FAC2DE5C4781C1E185F419DCF9FBB1E0C6883F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:20.598{E8723972-5646-6356-1000-000000008902}420C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local123ntpfalse40.119.6.228-123ntp 23542300x8000000000000000194392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:21.624{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009D733614794CC8C330F918EECE701D,SHA256=EB50E8F7ED501FC8FBACF03ED4582903BE57284AC98FA403D448AEF588279B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:22.695{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48AA33324DBB53DBC9B1B7EA8BF81EB,SHA256=1224830DE97C2DDAE470DEF64EF31FFD5D2B5A5661D4A86741454557B79BEEAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:23.780{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2972EF1CA5DD12189A85BC8698C5E10,SHA256=F445D85BB1F348C5F3589794BEA4281F3D1C3706B03D61A8AC8E7330CA368645,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.594{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.591{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.588{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.586{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.585{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.581{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.578{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.575{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.569{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.566{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.556{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.546{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.535{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.508{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.505{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.489{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.445{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.438{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.431{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.423{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.417{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.411{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.400{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.387{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.379{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.369{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.367{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000100132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:23.002{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66256195C6A821E25540318CC490E871,SHA256=C3B7D5BC7D11CA16420723FD75462789A434F951283F21FA1A2C3995C5FE34ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:24.861{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4E53AF8FF355955A862438C6F5C700,SHA256=1A6A48966C70C8724BC352CCC82601E3FDBB1C3406AA13A9F47E42510E2A390A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:24.386{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34E640B397540AADBF8D54B743869A8,SHA256=EF9990D71BB9B9D47F8189BF2DA2E1962AF8FC19AAB67EE60389C121C9E9C09F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:20.890{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000194406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.998{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000194405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.978{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB1A7E438057E647C54007D832BADBB,SHA256=A1FB96178ECA1EE74B8E844A19D04C951DB53235DC771CC302D7664EBD89B4F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.944{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.945{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:25.302{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BCE135862616CB77CF9EC549170E73,SHA256=35AA50C7B6C7654F48111CEE7F2C3F03E9C5671D998D0ED18EF219E106FF54F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:26.373{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF98C4AB8264716D1BB71103AB7C347E,SHA256=643087F2B622A61077C17CDBE3CAEBF566F61A9F56ADD0A10F3F209271195517,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:24.148{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60564-false10.0.1.12-8000- 10341000x8000000000000000194446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.792{E8723972-A97A-6356-2010-000000008902}92043776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.778{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.776{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.774{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.772{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.605{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A97A-6356-2010-000000008902}9204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.603{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.603{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.602{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.602{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.602{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A97A-6356-2010-000000008902}9204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.602{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A97A-6356-2010-000000008902}9204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.601{E8723972-A97A-6356-2010-000000008902}9204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000194433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.515{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.408{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.398{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.393{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.387{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.384{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.383{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.381{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.353{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.348{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.337{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.332{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.326{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.310{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.300{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.294{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.286{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.279{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.235{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.233{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:26.099{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E819F72567EDEF0DE90E39D8074BD924,SHA256=E96D581BD772318050DE50FE61F6F1A7F4B33492C1D1A4510B342D5E28ABCAEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.999{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.999{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.999{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.999{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:25.999{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A979-6356-1F10-000000008902}8524C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000100166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:27.463{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294576AC482AF8B96DD8EF6060C9941E,SHA256=A9F2E85F49C2334F0B2A1006CAA20B131636306D7FDD07AFCB0533CC6156A90F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A97B-6356-2110-000000008902}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A97B-6356-2110-000000008902}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A97B-6356-2110-000000008902}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.250{E8723972-A97B-6356-2110-000000008902}7548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B772EBEFE1CB525603E608F8A3F11DC4,SHA256=430EF36D39F6C6DCF2C758A3BD4D54A9C3CDBCCB94CAC2EBBC2400195A20B8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD95ADBF66932CC4E25B4237305AB03C,SHA256=3CAB900A2A6C6FDF447EF0089EE73720BB5D88F33E4DE72ACD71C821E50DF565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:27.247{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ABDC83975A4867C68905C044C367AAB3,SHA256=89D944E70D8C2DF3D0307601456338921293A9AAB640710DB650279A3ECA9394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:28.538{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B2770B9AD42C8477A638F037787EE6,SHA256=29B7847CBFBA165EDFBE80B5D9783A06CB732B40E7847E01652F58121F922B4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.808{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.807{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.801{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.732{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.732{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.732{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.715{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.493{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=2594C661CA334E9D236B3F5F04EC4DA1,SHA256=73870781D815FAD28AB10289D01064967CF6817847BDBAA8F403C9877372F025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.466{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-345MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.321{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6199C7A3EF2F9B1B36AF21AB0FDC2821,SHA256=54062C41379EBA3CEB4766105D6FB0D51EE0CB156CBF0D5FC8C04B7E24BC6D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:28.247{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BD4AB7C52F964D1672F28C227EB011E9,SHA256=C490246D9CC8C50C7A772E3096C915AC57FCC15F388BAFB7B5D47BEDA920A6BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:29.629{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD08BC62CDD827CF0F31B72A9A78C766,SHA256=3DF1FDCDF6DA77CAFE57C9555E3BD5E2D28F18C73CD42DA05F740F16E204D5C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.552{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.550{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.547{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.545{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.543{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.536{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.533{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.532{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E4365C7BA02C7B00DC5D7E2FC2C35C70,SHA256=E82E41983D9824C4C0B6AF286DCE4DBE1864956BCB887430E84B09EC23D3395B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.530{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.526{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.522{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.518{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.515{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.514{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.509{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.494{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.493{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.492{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.491{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.490{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.489{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.483{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.480{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.478{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.475{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.467{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.465{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.464{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-346MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.434{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.419{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.418{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.418{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.403{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.389{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.385{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4413CD25C0785EAA6785B4AB799F6BD8,SHA256=53A1C9951B1FA1DDA5DA4AA36729D9F3D1E8F74EC407AE968D4F8621B3838D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.357{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.351{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.340{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.335{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.333{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.330{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.327{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.324{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.323{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.320{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:29.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000100171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:30.702{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=375F60A802BB7D48DF0583B455E77FB4,SHA256=830BA5EFC0BBCD426F8832FF0FC6F818793AEF3E03DF21A28AA7214F01BD30A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.985{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.985{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.985{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.985{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.985{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.985{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.981{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.983{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.981{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B3E15491C657FC08CE167809DA10BD,SHA256=F84F3E5EC44BD69433C88C050F8A1ECCF27B61FEFD435316A0FB6763911A3B6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.647{E8723972-A97E-6356-2210-000000008902}773210100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.485{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A97E-6356-2210-000000008902}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.480{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.480{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.480{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.480{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.480{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A97E-6356-2210-000000008902}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.480{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A97E-6356-2210-000000008902}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.481{E8723972-A97E-6356-2210-000000008902}7732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000100170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:26.796{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53743-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:30.025{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-335MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:31.795{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D438F9635E5CBDC4CA43895D7D257D6C,SHA256=995EE79E0AADD5CF1085B2B100AC46A7871BC3E2C97F8BF64DAFF56EBC634DB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.832{E8723972-A97F-6356-2410-000000008902}45486304C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A97F-6356-2410-000000008902}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A97F-6356-2410-000000008902}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.648{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A97F-6356-2410-000000008902}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.649{E8723972-A97F-6356-2410-000000008902}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:31.031{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-336MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.201{E8723972-A97E-6356-2310-000000008902}91207944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.108{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.108{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.108{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.108{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.108{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:31.107{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A97E-6356-2310-000000008902}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000100175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:32.902{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0588525AF4F0DCB8CD02ED2D2C3132C,SHA256=7DFFCCDC244A63366F46C7BDC2EA953A2CBE087646EAB021318A54A0C6211241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.718{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCE568BD6CEF1D3C562D64A4ABA1E8B,SHA256=0657573B4134CB0FCDE63F35AD7084A96502636C46222CD303FAFFC4954197FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.683{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=525559E1D178831B312070711A1B5A4A,SHA256=7CDD84A434C087871854CBBECD745897631C31026C42A611C2FBAAA958F2E639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:32.553{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F13FE1FDA1E82B639D4B8372CCB8D434,SHA256=7B7F51E2D5FEE68C54E3D7F23ADDDD04435A352FBA6A18D6F477C7C3046AADDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A980-6356-2510-000000008902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A980-6356-2510-000000008902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.617{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A980-6356-2510-000000008902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.618{E8723972-A980-6356-2510-000000008902}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:32.089{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E36154A717B211DD4044177556F2E01,SHA256=004CF362FEBD55224A16667289B5BFA44336448C51E6FE22A1FB8B519CF1F026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:33.761{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE05D9A99A5E6E3E413A7132242EFDA,SHA256=27C126E9AF01A2BB8164A5F084E74F03277C233417CE6790217EC7F1B170A405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:33.517{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=46305004E2642DCDBBE5BA190570ABEC,SHA256=BEED1F242DB9414465657AE251A727083569E115BF91BE0ACF29AD88CF501BE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:30.074{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60565-false10.0.1.12-8000- 23542300x8000000000000000194567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:34.834{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095B41DBB74DDFE9DFA2031318556229,SHA256=17FD63516C98740A799C005600C8DD540DC6447C2D63978BC92E3DBB1DDFF2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:34.003{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18E294F68863AF40DD14541B7E496F77,SHA256=33ED2D32E4808EC9722C88DA156FA7A0E2F502F331CA8EEA1A1AA41A1ADA029F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:35.966{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCAF129B2F0742AB187B581389CEA31,SHA256=6576984982ACAB74A86E64F4F54873DE130D60D50FCBC4B790A129531AE18792,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:32.774{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:35.095{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=445C695A09A552854878550FDE32A929,SHA256=FCBC0A6DDBD6B4068E6F05F1601E5DDAF568C45C9B3089E8A907BDBAFEC5A4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:36.201{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23B25EB3456C184A4567356AA411BC9E,SHA256=7F9F6028E585D4FADB90B12CA639F2D88486C7F7D6B7DEB7810D74D7A15E600F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:37.275{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068DD58BAC493A4F292A3E7947B9D358,SHA256=80D85DDE1561524A796424BB9847A9C0505E6E694EFBF57193BCD8923DD190AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:35.123{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60566-false10.0.1.12-8000- 23542300x8000000000000000194569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:37.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BA2704C3DE02CFB48A961C2B86C610,SHA256=199D518A9F9137DC11820172989AE3A4739A6C7A854612562A45D249DDF52E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:38.550{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=D1D3A7B5E4F4FF05C5E06CCE4810ECB1,SHA256=F318D98BBBBED19EE322962CD7407489D1425DA09562B634B73E9761F85E2B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:38.219{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63CBE996257FBCC92A700B8458AE21E0,SHA256=E9D09E35CCD11C30710A56E90BB0F75FE55F6DE8A5D8C1808B8243BE612A2ADB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:38.362{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051B39FB7311766FD4AE8B254B4C181F,SHA256=5155D6E46F316F48D40FD3648B05F50597A9E7E350215DA33B92F5A13BC7984B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:39.335{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E443CE165F8FDAA6B2B8F198E12AA36,SHA256=AD64A27AD0EB342A90D76F41E6A234127F57BE4DCA83ADF3541A1AC769A04A80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:39.445{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1570FF46B59E4E6EB7A778BD146A69D,SHA256=9AAF46801FEDA9C7B6ED2A81697A15BD5D57641DE3BBA91AF1EC55CA66248FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:40.450{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756CCC09F5A2699066F6C60C7D6B26D5,SHA256=F68D5E325B5230C68ED0FC0A61D3377B0DC07389B0726EDAE902476F5955DD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:40.536{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEDDD14FD4244C462E1A9DD842A4837,SHA256=447E3C31ED40BC5BC5BFCEA4D7EAA8E5A57360300FE187754E92BE73A613C620,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:37.931{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53745-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000194575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:41.568{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9248A41BBF05587EE1ED6C3936BEFDA6,SHA256=D38B18038685655210128F7F326DCE432B8F34A9CFA348EFEF3AADC9FD9470FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:41.625{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=473156A0334A79155B7D58351F475415,SHA256=DCC3879586B2EC9AC09DF11CA49CAB102CA506CC14DEE4C6C3B6BF134298E19B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:42.685{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11FE8FE1A6562CAEA5D715EFBD1554C,SHA256=D9217F206D58E7367A55F7821F2F9FF891B359FE62F84F5BB76C6FD9DD373D6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:42.666{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:42.666{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:42.721{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CEA180A7E7AE4E6E08C97132B88A74,SHA256=27907B8E7F0C4412531D6AEBE64C91F9E6562A85B46DA5A61A3048C26CF5F163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:43.761{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:43.707{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61064B720620BE5896F25BF4464833E6,SHA256=F960C5A74B28EC7BAFD7206392C3DCA46395A624F5A65E6FF1EC447255E37C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:43.584{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=41D717722610E0E4F867B38302C4C590,SHA256=1290DC1E3BDDA832BC33071A0A79EA9CB8D3CA07CA3110D8F6030CE83CD4ECBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:41.024{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60567-false10.0.1.12-8000- 10341000x8000000000000000100215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.585{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.581{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.574{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.572{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.566{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.564{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.559{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.556{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.553{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.550{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.544{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.542{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.535{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.527{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.499{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.496{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.488{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.460{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.448{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.429{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.420{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.412{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.406{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.397{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.391{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.383{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.374{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:43.369{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000194583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:44.751{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D18EC50CB2FAF9F615F7E1DF00ECEF,SHA256=C14CC528EBCD32C6B99D271D58D521E16FD41EF24DE1321DF01BD33316085E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:44.002{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE5893B242B463D0F5F2A5917C30F43,SHA256=418CEC6ABB309E4C4928699E48389AB153FFB23A5812124DA957B0CEECAF9EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:45.769{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CF24801A28B1D5C1369C2073B9EB76,SHA256=70A6A82A7A8A599808EF70EF2B69B02307749FE9415C965AE7A031A20EDCEA88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:42.941{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:45.104{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AC62B79990F4AAAC6E5F3CA46F00F1,SHA256=078C4F2248B3BA0B746E54E9801C5984F68F225C1A663FE9C5355D246BFF63E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.844{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.842{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.840{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.836{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEDFAF4AB87D4899A0E3B8769B5B2182,SHA256=E7E5A30358CAD4992ADE182DE87A2225B7B93C57B136FAF1EC838B98BE18B205,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.834{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000100219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:46.183{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551582B67DF41A3294C27A4ED98B0274,SHA256=B6BDAC0CB6C8381A8E2954023D54C834B7A239BCFEF74A8C7C39494BEE30708F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.412{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.399{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.391{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.384{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.381{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.379{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.377{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.348{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.343{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.331{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.324{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.317{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.308{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.298{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.277{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.274{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.267{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.260{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.220{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.217{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:47.939{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DF9EEC4971D805C696409C3F449E2B,SHA256=CDF8278E96086C3C8E32A4EA103061A5EFD8F361E17966CA0A16120497EC9148,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:44.841{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl56109-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000100220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:47.276{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED901042CC292B5C591F0F5B0B6A863,SHA256=6368F6D7EB00111BEA979D2C3759B4D2FD5B464795DE40D95E50271A64E0EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:48.349{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413667F312C4D3769BBE6B7D418FE285,SHA256=9F75315BD9ECAF437A16953F34A852645B9B1997AD8A18CC7944A0D2155D4EB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:48.878{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:48.876{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:48.871{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000194613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.148{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60569-false10.0.1.12-8089- 354300x8000000000000000194612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:46.057{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60568-false10.0.1.12-8000- 23542300x8000000000000000100224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:49.961{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4505E5D0CC7DD0418E6B724D738C6E,SHA256=9219983CD1A8043FA00E29E10D5C4F7D37D92F1272C7BC9B79AD46A94AEABF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:49.430{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=385412E89F77F6FF5F5657A5BAF98C75,SHA256=5636B478CB430CF4C9E41CFB7C23B0FA51E90BE933443CC7AE618EB1CF1961FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.618{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.617{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.614{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.612{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.610{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.602{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.599{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.596{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.593{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.590{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.589{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.588{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.586{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.582{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.558{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.557{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.557{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.555{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.554{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.553{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.550{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.547{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.544{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.541{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.539{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.531{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.529{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.500{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.496{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.485{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.485{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.484{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.469{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.461{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.429{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.422{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.412{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.407{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.406{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.403{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.400{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.397{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.396{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.392{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.391{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000194618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.389{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000194617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:49.023{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BAD58352927319C6E1F3476D32B4E48,SHA256=8C68628DABABCAE1DEB8ACA493B6DF0285180D04E41F3D6E782C1FA55219D0F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:50.520{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00CCC7C5F06FA78DD0192344AA32CA0,SHA256=4C358321D6D49C61293BA32EAE3B98CEC9D7956D819CD743F619C23D20A5B80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:50.408{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B53E934802DD281525513EC598E219,SHA256=AE0D29A05049AB9EB5F3979AF952955D9576379F580D4E6B9987095E6CA8A72F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:48.732{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:51.603{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273C19323B7FE4B41CDE354E53740F5E,SHA256=D8559B195A40DB35575C4F044F1CEC6168D02D7C783CDDD9F94A9AD72D71BABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:51.472{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7853EC52226A739C4EFD1CA4EB067A8,SHA256=90ADA7FF5A62D54EC92F82932779C852C83159C6A7737901B26B746EADD2F7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:52.693{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5411A69E5AE9AE63F6716C64B9B872F,SHA256=459DB0BA798C6D733E3991B3040395862066F9DF35761B1D6A5992ADDFA0C558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:52.492{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959300996D60AC40A0AEE3388C5AA4C1,SHA256=8546236CED8A755D9D0378C4FC74F03F3303E5F31382EDA1BC29858F6572C9AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:53.786{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8F48C28EF3A7C709D426597C01DCD0,SHA256=D4E29420750FB02B99F088ADB0118A3A65EA1B087275C3927DB642F5482CB199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:53.507{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A74C747AE6DAAA3FD24B7ED637C8739D,SHA256=8533D6A9F1C84BE01EC3320A695733EE6E65BA4C90CD183DF248B8AEA7090FB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:52.077{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60570-false10.0.1.12-8000- 23542300x8000000000000000100230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:54.871{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68699AC3926CED9E75828247C1178B6A,SHA256=22E601AF30D47F6FEE7D6530CB083599672983DCD390546E8C362450BE48096F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:54.538{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078750C2C35E58FA3D149A60231E690E,SHA256=B85CBBDD7ED09B1CCF1071564E664BB9E7AEFCFB40386D497F767B8F77BA42B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:55.959{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A47E534D4F271405C28574275ECD65F,SHA256=552939DAD9CB30FDBBEBE7304E54B2E0ABBE6E60A5AFDABF2A6ADA2FFE50E3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:55.671{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216CCC8FDC44569A0E55C549E5BD9C74,SHA256=0AB294CDC3E5CD1C30171EBB4CE32A03C57375B31972CD177D636E2698273008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:56.771{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520FBE8650B628699F5C294CCE833A70,SHA256=0DAB0F1549A4F95C202ECC18CCAE298952EA17FA1802DEC7D373245396ACE17C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:53.845{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000194672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:57.887{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4441995F089D5FD237CE5761EC2B3FF9,SHA256=41311587457B9AAC78BF48B08BAF2BB73EAE0CC67B11CE2DA3E190477B2DD5A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A999-6356-5D0A-000000008A02}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A999-6356-5D0A-000000008A02}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.967{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A999-6356-5D0A-000000008A02}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.968{3A30D728-A999-6356-5D0A-000000008A02}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.951{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1D7797E27CB85CD7F00AF7E90C643248,SHA256=E0217D2D5E0AAB3FDE49F5F82D4736E7D0A952267DF0576DE173CEFF5EC860FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:57.050{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CF0C9D5D9AA8FC4AA75D209AEB62CB,SHA256=86EE5BA10E4F97B826724EF2383A2580C8EB9408107C42112DCFBADF50CC2884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:58.907{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B109ABD6DD83B6FDA40483D02C4FC76D,SHA256=F6A59E63B42A9BE2B64D9DCB7E852169ED24C9DCF2353C474F5AB2B96A850BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A99A-6356-5E0A-000000008A02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A99A-6356-5E0A-000000008A02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.634{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A99A-6356-5E0A-000000008A02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.635{3A30D728-A99A-6356-5E0A-000000008A02}1180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.618{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=53547437FE0B79F5C58F440B1D388C24,SHA256=4119408F9D6A71265DAA925082A15356EB86509B06D8ECE37754655A22B2B4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:58.155{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014849346EDE912151BD2DEF165D8062,SHA256=B5E16FC7BD4FBEF4188A6690DC6D231F859C7FE8B84A27DEB8D569FB0EA2A179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.474{3A30D728-A99B-6356-5F0A-000000008A02}22841192C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A99B-6356-5F0A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A99B-6356-5F0A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A99B-6356-5F0A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.305{3A30D728-A99B-6356-5F0A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.263{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E26C4B9D84FBDB9AB73DE29B01E684,SHA256=A2CFA7158AC3FCFF7A6456A56DD20E31ADDDBCFDE783D33E0E3654FDB19D14D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:59.923{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4EFCD6047C47DBEEADB2066E8F1B22A4,SHA256=3DA83E7BFC9EF21C33067A77520AAC8BE01F2EE64D47BF37ABA43F2865B9CFCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:57.944{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60572-false10.0.1.12-8000- 354300x8000000000000000194676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:57.897{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60571-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000194675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:57.897{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60571-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000194674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:04:59.138{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BEB2FE45F6134FC520A87841F4C13F2,SHA256=6752292D799A8AB39119739C1CDB5209F65E9C6CCAA41A01C01E02148C20EEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.099{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88CDB7CE5528479DB1E7C11AA993041,SHA256=C4E1DA0564907DB67315DFD1F04C6A275F3A5481072E18C1442F257341199270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.691{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCE10471164F1DAA7F5F40B518A0D07,SHA256=248CB004B42DAD1F88195F90EE735971E0EED25F08225912207BBF9986DE2734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.314{3A30D728-A99C-6356-600A-000000008A02}11842448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:00.123{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F072F3D634D2FAA005FC30B1FED307,SHA256=6FC84C94747F38FAA163B8306855321CCBF771BF1D9F989B61F60B4B4D8AFB91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A99C-6356-600A-000000008A02}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A99C-6356-600A-000000008A02}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.115{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A99C-6356-600A-000000008A02}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:00.116{3A30D728-A99C-6356-600A-000000008A02}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000100327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A99D-6356-620A-000000008A02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A99D-6356-620A-000000008A02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.813{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A99D-6356-620A-000000008A02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.815{3A30D728-A99D-6356-620A-000000008A02}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000100314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.501{3A30D728-A99D-6356-610A-000000008A02}27283212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.435{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2B36DD83D17054E7F955F37E6BFE83,SHA256=8817EF00A629E7DCA32D29F6B4C8D3967AAB73DD11BA47B0EF0348B3FD3E77DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.411{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.411{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.411{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.410{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.410{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.410{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x8000000000000000194680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:01.239{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=248B23CFE9EFC6E9E53208BD5F9E421D,SHA256=41D1F1C2B7780757F4FA8F531D8C83430614ACF856A4A0465ED97EEA531F5946,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.277{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:01.278{3A30D728-A99D-6356-610A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:02.808{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1705871E1B65D2F00A152E2A5C33D37F,SHA256=721364FF4819B9685DF60C5ACB6C4510CC4B3B9445B4311F4D3864B617235036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:02.511{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287EE44B09D7D13CA1457D1159C23C2C,SHA256=5BBDFEAF39353FD7E6557B51842FF32FF95E4C811CCB807FB639A04A0F7AAD73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:02.407{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5642-6356-0100-000000008902}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x8000000000000000194681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:02.354{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5294369774C56AB7401B4FE5F77905CC,SHA256=DECD910E768BCC633BA902555C4B5489F77065FBDE7976187C7E9F15456C28FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:02.095{3A30D728-A99D-6356-620A-000000008A02}1956736C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.664{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.660{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.652{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.648{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.647{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.643{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.641{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.637{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.634{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.632{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.630{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.623{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.623{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.614{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.599{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000100346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.598{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDAF58D563A9BACB971971017870D7A,SHA256=BD4EDBC0ED49CF061B0995F85AAE1467FCF3034F5C1D247F41B4328936D78F5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.574{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.570{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 354300x8000000000000000194685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:02.298{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60573-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000194684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:02.298{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60573-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 23542300x8000000000000000194683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:03.454{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45D3495A54FD837832F16457444D7D4,SHA256=A9FFACC2D4B3B66B7339F2E3B7F7F191D704FA56968AB8AC7C2109D33DE3ECE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.508{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.495{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.482{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.470{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.456{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.447{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.434{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.419{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.399{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.385{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:03.382{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 354300x8000000000000000100331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:04:59.833{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:04.701{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCFA0A90F8052A959FFD4E2BE817DBD,SHA256=165AFC644C0D69899F832C5C27FB8834483ED01D35120F82DDC7492002885AFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:03.129{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60574-false10.0.1.12-8000- 23542300x8000000000000000194686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:04.572{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6EB5CA62ECF1E85FD45C470E4A88B8,SHA256=1AC488775B5D2E65B3CE639654C32584D16BA4E7DD57988033C41A1EEA322F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.917{3A30D728-58B9-6356-0B00-000000008A02}6241360C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.905{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.779{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFF48A58ECF6B6F96BF4A0ED011EA16,SHA256=F5EF0363F886F48EE8DD1DFC2C606A6B2309AB3A1D4D17382ED0FB88E6FDCEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:05.607{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2DA9F01F2E0B341A83E3C8623D89D1,SHA256=CA1B529B8DCE63710B8E937F83A841894DA1D821D98ADEEECF8089EE43BC2D1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9A1-6356-630A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A9A1-6356-630A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9A1-6356-630A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:05.038{3A30D728-A9A1-6356-630A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:06.860{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469A214064348E40414C6BC1DFA9F31A,SHA256=D71C4D4C74D209EFCD0FBEC7CC01EB12E46BCD4F1B33E3AAAC7B4BAE0D3CA628,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.786{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.784{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.783{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.779{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.701{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079698A7AB97EA83418798D4A4260FD7,SHA256=E79A560B052977F651AD214073B8F6DFD25F82D6FEF48D436A14269BCD3ADCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:06.218{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88ABBAAB0EAC61EE9032DED8456E2135,SHA256=434F58D7B63FE7E228CCC65B452FACE3D0A45C1B4D40157198FE2A88A7C6741E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.403{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.392{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.388{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.382{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.379{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.377{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.374{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.350{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.344{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.333{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.329{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.317{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.310{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.300{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.291{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.284{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.275{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.264{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.226{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:06.223{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000100383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:07.962{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59802599546524FBEDFC88CED935F378,SHA256=A89226F37D328DD143CF44336230926CD074812DA1950F6BBE72C4689550F101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:07.806{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231044D2AE8B69AB67F2FD8AAB605A75,SHA256=2889E7977EE6EC9090D3093F88BCEA9EEE2BB2E2180998AF420DBAE6873B0BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:08.909{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6918CAEAE83FA82CCA6CE95E3D2EB7,SHA256=7D99D6012A8DD2D4D988E3E4B39750531B7C2276A0F01A21D35437AE78879EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:04.894{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000194717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:08.800{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:08.798{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:08.793{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000100385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:09.043{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F946D0704113D40CF71C034B5F8874D7,SHA256=5BE83B054B98E477EA4643A69A8D94506CFEDB4C10924D7695F2E30FF23D041C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.571{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.570{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.565{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.562{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.561{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.554{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.551{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.548{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.544{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.539{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.537{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.536{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.534{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.531{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.509{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.508{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.508{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.506{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.506{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.504{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.498{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.494{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.491{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 354300x8000000000000000194742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:08.130{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60575-false10.0.1.12-8000- 10341000x8000000000000000194741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.488{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.485{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.476{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.473{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.434{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.430{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.417{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.416{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.416{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.401{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.392{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.361{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.353{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.343{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.337{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.335{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.329{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.326{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.319{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.318{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.313{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.312{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000194719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:09.310{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000194766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:10.189{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568E917AFF69ADA7E97786A28860BC8D,SHA256=D3A2890B76DA96022C99249CAB37ABC41CF2F59F790D3B011A99ECCF5FC1C358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:10.121{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943C6ACAF1A05B5A140E468DF184CD34,SHA256=2DA2F9C25D5EEC91E51CB52A6D4D189747464FAAA6E97C627B3409D794D119B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:11.200{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A1A3FF401E8844B695364E4ADF592B,SHA256=12038EB9C16BFD1C36A64D5C759D258160DC8D4CF1065C437C71E8CCE628C084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:11.324{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6B374F9A360D28C1ECF29AB9E2DF855,SHA256=F4FCC4FCA42E2DA639E7D93C2901290B7ED9147BCA05D443B1611258BD45E59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:12.283{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AA93EA54A3192F520FB496DEB0DD19F,SHA256=8320ED51E49CAA19C3B4EF1186ABEEC17A8F7EB31ACB0F1E1330B19DE62D695D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:12.356{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F549B46163925294910029F1AA583812,SHA256=85C612379426D71C0AFF5B7E6EC19234178BCF4469BB14D07C1A92A41C817B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:13.365{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B196758FC25F6B866EEED9E32F75206,SHA256=45D1D86E2E83C3A8144C93375A06E7A442AC2E1114F93CB838CB79CE73CA4A53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:13.373{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F40A74EC658DA09B715B61578F1BC56,SHA256=8FFAA71583B4BA0BD50B0E848590F5FC08ED4C24164A519B10347C288957BCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:14.552{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD47DD0AF7010B82834E6AC7DF4FA377,SHA256=91C8722B7E79AAABF1ABA10264A7C1A303CF49D88DF7B482CAB55E32EC96AB07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:10.854{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53751-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000194771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:14.476{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB472E6B7E494ADD7DE6D4707EF6E7BB,SHA256=21F70330182D27FC2DB4CDB7D09A5509D7951A6C1493D58AB54E5C2F61B6E0F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:14.192{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F076C0BC507F38635FA9742F9DF5A6C,SHA256=507B5B5F9E251A2DC5EABF91AB279591B566C2D1E12972A7AA5C4C5F0F9115BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:15.640{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AEB0FE71F62CB6F5D634EC0F562A3A,SHA256=1CE4CCCC0FFBA1CCD7F6CB1AF2769FE2C2D708C5674E15A79B9F19EC7300567D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:13.965{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60576-false10.0.1.12-8000- 23542300x8000000000000000194772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:15.594{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BA3C19ADEC9226A92927DD2A22E388,SHA256=1011B14CC5BE5EC75C0341E7031E52FE7C5799169AABF1BB816869693567424B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:16.727{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF7E8EF5708D42A05D071B0F7B584CA,SHA256=36A5D61217048DD046AD1BCA619D93BE67D1AF1F1C289CD36C19EF9388344528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:16.630{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B836E28A8DAA8F7991046FD7E6D3F307,SHA256=254002D8126C77092E495C0C25774D08AAC88391DCFDABE4D9D3FD7F8059839D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:17.812{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED6B96245413FA373685F57BA33AAF8,SHA256=F40B0406C4AFC9E6C4D5838FD537A3367FBA6CAFA1FDF38D38A44CC1D15C9FD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:15.805{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local138netbios-dgm 354300x8000000000000000194776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:15.805{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000194775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:17.661{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39869A8258051A39718E627E11F96057,SHA256=9DB493EA4DFC74FBBA7E12B25469C1FFB484A3DF04580FE55D2BA9E192F64337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:18.901{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34D4B4DA3B89906CF7185AA19F873230,SHA256=06D8F6ADED79FC209392B89142A0B9B3A2DD32E43A5CB95AEC11266CB8A10CD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:18.758{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B590CBE21C301B438EFFB55A9639A231,SHA256=178FA143B5439A3772F624A9FE619FD62A02F4FB1DC3A25BF5C8E92E2D2E2115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:17.999{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:19.985{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DD962BB9A0FD872DFFC314DDC90664,SHA256=1A32504B70B8136AF20E3FBA50F69EFBA3270EB344A5DD3AFD49390F8054B43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:19.792{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09F891489FDDEEADE2F7E478928B321,SHA256=BC33386F0ECF878DA63E14391A4AC8E515712002F08A240DB12A2DE9A944CA09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:16.832{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53753-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000100397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:16.676{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000194780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:20.827{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6241874C7914DF99441CD73859395A19,SHA256=28D4B0EA4A493929C7AEC59BE241307FA38EB9F48DD5A85CC85AD5DE5BBDFC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:21.928{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67EF5FDA4CBEE4B4F0A745888B0CB2D5,SHA256=75F6E1A03F0683E8ED762838245F97BC89EB99704C4AD846E7CD599C895C243E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:19.082{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60577-false10.0.1.12-8000- 23542300x8000000000000000100400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:21.073{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA3AD9D219EA4C47311125006846538,SHA256=A448EE09EA5F02B4273CD753DFC8FBC283221D964588B5628C9AF76F3E6822CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:22.943{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380CEEBF4286F95FB18389B4098B80FD,SHA256=2AE6FD1D0ACACF0BDAF3A81DB148074D5B9457CB5113617E9572AB56706671B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:22.162{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D23D4731CCDA1A2EA392702858B6E3,SHA256=E646166DC816448E8F442EE5CF9DB5F055E021355B70DD5E2F4013DBD5ADA66D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.582{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.578{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.574{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.569{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.567{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.562{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.560{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.557{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.556{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.552{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.550{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.546{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.544{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.529{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.518{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.494{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.490{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.480{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.434{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.426{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.416{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.407{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.401{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.395{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.385{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.377{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.368{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.359{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000100403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.356{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000100402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:23.242{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3774BC1B110B4F32CA611D8D911EDA58,SHA256=91E5E4F8E6E47A65001A35F2415CB06B2449500E9D66DCEFB2EF5BB548937082,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:24.353{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9096162091004FE6B64F8FF4C6D47D3,SHA256=FEC1B9506D645751E13D8BB5F48CCDFF2A8BD5AC17FEE3F2C578269913B86319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:24.717{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF145fa70.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:24.059{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222CD9E7AEF6F6449B7D5DB13CC495DA,SHA256=728867A537F1BE1AF8A7E7BECFE2B54D5162FA8181D3D02523EF8ADC0AE39465,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9B5-6356-2610-000000008902}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A9B5-6356-2610-000000008902}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.944{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9B5-6356-2610-000000008902}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.945{E8723972-A9B5-6356-2610-000000008902}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.076{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E99DE6567B52B2F8ADF2F921C303D25,SHA256=550181EF3275B84C643EEE12C5FA4E0DD9BF42C2FD675A3E4F03DE017CB3007D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:22.747{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53754-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:25.499{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D3E9815AA74AEC835C001F39159D84F,SHA256=ACA667C8CD98853B1A5AB1F85CED54BDFEEA81424E8FB3FE706B0F9AD66E6312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:26.573{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6ADC4A90E6C04440F26C3CE5CDD430,SHA256=228DD50DA40116A7B20601A0233A2837332D46B62FB6AD368960F87294476DF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.859{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.857{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.856{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.853{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000194824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.836{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A85B40F695A157E090979DF7614BA125,SHA256=DC086450AE20DC8D188292BE7A66C7BE9DAE3074F17A2E194F3CE14A61578193,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.604{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9B6-6356-2710-000000008902}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.603{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.602{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.602{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.602{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.602{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A9B6-6356-2710-000000008902}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.601{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9B6-6356-2710-000000008902}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.600{E8723972-A9B6-6356-2710-000000008902}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000194815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.459{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.445{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.438{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.430{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.427{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.425{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.421{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.389{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.383{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.372{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.366{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.359{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.350{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.342{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.329{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.321{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.309{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.302{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.246{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.236{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000194795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:26.219{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41EB8265A724A817F5B12592B77CA485,SHA256=277482690C41A2E621EA9DBFA74B83B31F33201EE7C52BC1E51900AA3150CD14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:27.655{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3059315A02E3840301204140135C286,SHA256=7071695C8DB611777A2F9FB72FB5743622CC5B23A74173A18D9BDA1F7DD5E4A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.429{E8723972-A9B7-6356-2810-000000008902}68606256C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3AEFB1E9790D98FD40BF01964857B06,SHA256=89FF83862F9BBEA2A532BC81D6D8F27E2BFCA5498FC92DD3C02B09576763D9C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9B7-6356-2810-000000008902}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A9B7-6356-2810-000000008902}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.277{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9B7-6356-2810-000000008902}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.276{E8723972-A9B7-6356-2810-000000008902}6860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.198{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\aborted-session-pingMD5=FE9732CB4C9191F71992D6B5AA1EAC9E,SHA256=F8F85E77671715501AB23DB899AD1F992E8B0EC4F4D94E7410C5DAAFF5A49CD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.129{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000194832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.129{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.129{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14603d6.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:27.050{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=496B609C47720728F902685FF78B20ED,SHA256=6258FB62C3B40B054DD7298245991AE0C4FAECFF7D3FFAD2858558923CB9397F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:25.065{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60578-false10.0.1.12-8000- 23542300x8000000000000000100437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:28.739{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AA78B77933150471385EB2DA1B8877,SHA256=CE01ECE56A4B9B96E3E6BADB62885B35AFBE4C600F2372236E715FC81D760249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.884{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.882{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.877{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.730{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.727{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.727{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.713{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.378{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7DCAB7C04D265D83F6BCF9A04A9FEF,SHA256=E0024DB238983425615F4DE34769F12F572FB2E9772EBB0ECB7389DAB3946361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.260{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2A513E2CD5A52CE4C05CB8B7588FF12A,SHA256=B8A64EAF7B9A6A24581769891C3755510D9C9331FD315A7DB341B30195CFF89A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:28.076{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:29.819{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB28501764BE71785B7F306FC20E60F7,SHA256=D690E0165DB0A327B8B299A12BC9D85F51F9B13D028E327F7BA921F7F6A6DDB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.996{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-346MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.620{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.619{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.617{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.615{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.614{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.606{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.601{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.599{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.595{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.593{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.592{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.591{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.589{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.586{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.567{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.566{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.565{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.564{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.561{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.560{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.558{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.554{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.552{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.549{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.547{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.539{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.534{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.509{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.506{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.496{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.495{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.495{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000194869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.485{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EE8E983A44DA84B4142485F3B9AB6C7,SHA256=DA177F29B7087FB6ECC722E0F816E30A3F72E8B7253BEF0D888D48CEAC0FCF63,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.481{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.473{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.438{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.431{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.418{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.413{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.412{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.409{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.404{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.402{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.401{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.398{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.397{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000194855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:29.395{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000100439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:30.906{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCE4BBBE376EBFAA54F3A73A8593CE1,SHA256=2E3E28E3D347CFF85F4A606FE54713FF7EEFEC054A6394B0A2A0CCEECB795631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.999{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-347MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.660{E8723972-A9BA-6356-2910-000000008902}1723812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9BA-6356-2910-000000008902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A9BA-6356-2910-000000008902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.478{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9BA-6356-2910-000000008902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.477{E8723972-A9BA-6356-2910-000000008902}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:30.193{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A96177ABD0FECFC9577021975163DE02,SHA256=41B152C2C85094CB10937618DB8FA1A6B124D629E731508DA9F118D1A4A48C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:31.996{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F38EEE9846FF301487B6CD9F51B78F11,SHA256=3763DE5AADC9E005F84DB329D273124AC27C1A3A20DF6D9E6D176E5BBA278AB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.862{E8723972-A9BB-6356-2B10-000000008902}86368608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.850{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.850{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.850{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.849{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.849{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.849{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.660{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.662{E8723972-A9BB-6356-2B10-000000008902}8636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.597{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC512CDBEB046FD4A562981A9B0D9FD5,SHA256=0BA97C44000DC141AE420A83ED11B038A5B0D1743A46F1C6EB80CFA47633BD3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:28.746{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53755-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:31.556{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-336MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.198{E8723972-A9BB-6356-2A10-000000008902}86321184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9BB-6356-2A10-000000008902}8632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9BB-6356-2A10-000000008902}8632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9BB-6356-2A10-000000008902}8632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.038{E8723972-A9BB-6356-2A10-000000008902}8632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.036{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C32469DC4C30C20A3DAE8DFD1384F29,SHA256=3C0CE5FF67DBDBF463591833043B6F40C4F51CC8A01C740497601166B3D696E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.830{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.830{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.830{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.830{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.830{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000194950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.830{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000194949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.761{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B62D09585891B445C0DAE9A272B4F61,SHA256=CA7AF6A3E3E516E9AB7F3C82F9E3ADF8773A86D2ABBB285EE20C934EAEAE3046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.698{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70051E42F590CD9EF611C328341454CB,SHA256=61F616BB0E25BE0B0B936983E1B435051F5B6CBA9EC010AABE2FE6929901F910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:32.556{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-337MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:32.216{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6858881C3ED2740B48351F4B99C929A3,SHA256=7AAA517916B1ABEC8174481C6E05F0EE709CA74E9C1D20426FA38E81F75F9254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000194941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000194940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:32.645{E8723972-A9BC-6356-2C10-000000008902}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000194957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:33.801{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D91ECA04D947701D9C91E6E6D1297F,SHA256=06770BBE7054E0C9220114F44EAEFC7A3FD2C9F4B774C76C1092821E78C8B86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:33.073{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0F0102874F06FCC60922ED01F47EB1,SHA256=A42EE6E73052FDE6CE544625F5847C5796B55ECBC457B8D418B8D905D1C6741C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:31.004{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60579-false10.0.1.12-8000- 23542300x8000000000000000194958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:34.962{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD7BFD0E6A2A64FFB953D97B99C543D,SHA256=91ED8D5340C9EAC08D17B9CED8AE05D7737A804C941392B94817F70F493BBF21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:34.149{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FEEFE5D46D93EF9A6C04E7AF63A885A,SHA256=68EDE7FCDA87C83A18B855AE52CD716673A6C13A576E8642303404F2A11EE2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:35.211{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F94AB00F9FB93B02C7CC39E3A815C0,SHA256=F8738B6813E026A9571D00AB00EA8552CD5A096D4B699345262BDD13B4D1D75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:36.295{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566CF10003AF94F825287C2B8329C241,SHA256=6319775FA9C4C1071CFF329FBCC2BF14B05B509DA9E99553803B12DAF64000F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:36.364{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000194960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:36.364{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000194959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:36.032{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9E36A812B4ED4A41AEAE062DDD9AA1,SHA256=85210225D5C6DC4ABAE66DEFF37B8273F1024C32535FBCEDD97823EBFDF43A12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:37.375{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A453E26E87E0E1238D89E8CEA99CEC83,SHA256=1770D7107132B53C0E35A2BAF72518433A1D34180D1FECA385831AFF9988C0EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000194965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:36.256{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60581-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000194964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:36.256{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60581-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000194963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:36.038{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60580-false10.0.1.12-8000- 23542300x8000000000000000194962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:37.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=434AAAAA4EE22B07BC8304D144FE61B9,SHA256=A3987E6400523F1318E02B3064B9F8086B1EB90E9735DD074877C49A3E1D93AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:33.904{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:38.450{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31AE85BD18980B36D92BC4412219C2A,SHA256=F8933211ACBAA1FCD47E497A5E69A15112306BD72E69164613FFD4E5F9A05E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:38.757{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=A314E772059027198A18B5A61C97BA49,SHA256=5109DEEC5FD72F286215D925B3B08C83162DB91A456C312DD0488E669BEE4AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:38.137{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E0455F4D292F4ED5061A09105376AF,SHA256=D5788F043AC5E6F657CE13EFA46418589A90052815DF88E77455E1003DCCEAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:39.540{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=917F5B4C2B5F13DBA5038F4026BA67ED,SHA256=DDFFC5E18647ABD971F9DB8176E8F324B8948ABB1243F160AE372EAED4E744EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:39.187{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA913689F51377A2AC10D082B39C72D,SHA256=5917B4654ECC4391CC3ACAE9C48D1EBC653AED6A4DBF13B57A48CFD33D66EFD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:40.619{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DCF21D6EF8B9150AF0EBB7A7EFD724F,SHA256=1F4E9C77B963E244D739053B8C44FB795B0C39FC9DABDD785896F77B234DFD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:40.241{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F138BFF2C36A4F26770941C01EE36236,SHA256=880150BE88B3CFB50BE8C311CFB7510D5ED6EFF5FB261F4FBB1AFF518710CC9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:41.707{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB748103F5DC223EB28C1D91080B5A0,SHA256=F015A959B0BAC23B121E4D8F1C831D2FE7A39D7BC74E248C1FFA9823F68824C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:41.293{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC96C85144154395B19D66E78107D882,SHA256=D3F798F5267049191F4B9C258AD057DC9507467F675098596CA2C52C382CE074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:42.797{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A93277C2E13CDD0AA67B281D6826C7B0,SHA256=D320EBAD7B4E30230C45FD2CF4B0FBB527B1154200014949838C369565184761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:42.347{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1681DA01AFCED5A05E0EE3097DBD825,SHA256=62F49428E22FFC8EE744229586880204D516A70164CB19020D538E47609A0E8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:43.413{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F27C340B0A6D007B1EFF30A76AC6E6,SHA256=BAC4C7A455727806B2F53809DB5EC31166C535CD03E02365F38B756CBC10F9B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.540{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.538{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.536{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.532{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.532{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.528{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.527{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.524{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.523{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.520{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.518{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.515{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.514{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.501{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.493{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.475{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.471{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.464{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.437{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.430{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.422{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 354300x8000000000000000100464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:39.886{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000100463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.412{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.405{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.399{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.391{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.382{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.373{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.362{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000100456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:43.359{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 354300x8000000000000000194972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:41.134{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60582-false10.0.1.12-8000- 23542300x8000000000000000194974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:44.466{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3EC401BF328DEDD1022906B6E2B347F,SHA256=F0FAB98DDE1EEF6EEEA87EF56751B5997A853270EF5D4A16A7914B89178AC698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:44.061{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448476CF96003A7D63FCEE6E0C25C370,SHA256=D0ACBB984560F04039A95FB5F9862761601CA64B7CE4DBA7ABE1B73CD668A70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000194975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:45.518{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60015F8B5DF1EC63D419BB1475F0A6F,SHA256=D0BE89055B4A928B90FAB9C8E57B71F1DD943E805EFD084209ECF46E310AB39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:45.199{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD93016623386102C28BD43E2449E9CB,SHA256=2D5F3C1CE0C325CB4A212764443A2DDD1D93A161E49B5BB08CBCEB7E8F0CEE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.754{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.752{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.750{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.747{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x8000000000000000194997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.581{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=526CD69698C5BBE96F1EE520F7239BD2,SHA256=1A97963AB893D8CD91969CD8687B447DD305D83E61F0422D7FBB473BCB2053F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:46.278{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8BDB7B258FF5CDFDDE817216D59558,SHA256=FF3C2E0826C349939582084FAD661F62A58BE152C2168DB9DE8A33F0AC43B318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.381{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.370{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.366{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.361{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.358{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.356{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.355{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.329{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.324{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.313{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.309{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.302{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.294{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x8000000000000000194983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.289{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000194982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.286{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.276{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.270{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.262{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.255{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.220{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000194976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.217{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x8000000000000000195002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:47.654{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8123FBAD48753CABD5614BD5BE683775,SHA256=9AFD0DF3679D138F07BF9F3A7B8235975C0CFD07FEB2C30187F956D3C53A9AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:47.366{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2031900A0E49F6DAC25331DBEE5B4CFC,SHA256=FD83C142642A478B6B6F0E8372FFB51737309EBD2FCADAB929000F48B7FB026F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:48.811{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:48.810{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:48.804{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x8000000000000000195004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:48.722{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1217AC909719D856431E65DE44A13B5,SHA256=5ACA5749989794B9FA8EE15148AFAB7D3837C7A18B0FF9861E85414226BE3DED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:48.460{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78DB24C2C1A31AF56891DD9BE9026663,SHA256=9A1333A1409D658F6B11B4C3FB4701669FA9717A7E8C385432898B505271CC5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:46.164{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60583-false10.0.1.12-8089- 23542300x8000000000000000195055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.843{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01A1E327C7503567C2DB4E96AEF9A083,SHA256=C985BA73EA044CC59529E1D45CB9171952882D1D2C3D22A260EA0C525E06BFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:49.525{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C2A3673FCA77EDF0A4E5002E221E85,SHA256=7E532506BD7B0355316EDD539206954958C753A70C97B4003486B43F42B79AA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.566{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.565{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.563{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.561{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.560{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.553{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.550{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.547{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.544{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.541{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.540{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.539{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.537{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.534{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.519{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.518{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.518{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.517{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.516{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.514{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.512{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.508{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.507{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.503{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.501{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.493{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.492{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.460{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.456{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.446{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.446{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.445{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.431{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.415{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.360{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.354{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.345{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.340{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.338{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.336{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.333{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.330{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.329{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.325{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.324{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:49.322{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 354300x8000000000000000195008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:47.029{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60584-false10.0.1.12-8000- 354300x8000000000000000100492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:46.118{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl56087-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 354300x8000000000000000100491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:45.876{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:50.928{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C24F50B185323342126C3B106DB5F3E,SHA256=EC7DB1A2A618B45FCA059A2982A9C68ACD4D24EF570AD3FE75C430680D0B4B5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:50.618{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4212B5D5A5B633EFDD2EDA7982F44105,SHA256=3CDF24027EAEAE1BBA99E1256EE30CCC56243488E178CE555830DE899FE11212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:51.987{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93075B7ED3F7CC0B7FE907AA0C643C66,SHA256=BE53AE203434D317C71BC0D2A2DF2068D0741FD4A90032D4DD16B60006A4A602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:51.693{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A246700376CEC3F571E7E9BC9829A9D4,SHA256=E2C5AA6080AB55DA6D5E8B0A4DB958BB86D511784E5E1897FE55C784AED0A3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:51.255{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4C81CDDD28BD0730BC762162835F11E,SHA256=940493C6A0BEE033FD294ED6BDACE281ABEE734625736F3957AC7F471261A378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:52.787{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E95046196FEBD1340EBF8B1DD7767F3B,SHA256=3C98A29737ED797FFB3AE944E6239B75C3A94575623A214130EC3BFD3BAE691C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:53.873{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD97847E5BD09468A4E1E50BCD87F97,SHA256=460F83ACBE0E694BDF9C7FDDE57AC6433461DA3BC85DE03B1D5C35B120137A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:53.031{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EDD19662FE70C24B7F7B688AFE034C,SHA256=171A9A5B18FD74F843829C149455FC85E60A9190BAB51E097B05796618113278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:54.955{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5262131635ED7114F5BD79DB7A381C,SHA256=8045D0677A2432F77D8A16AFFEF4410828ABF2879D7F82BDACC372B9C484F4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:54.068{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452E96B66CAA1A5A1FB433385681E4B1,SHA256=37FF22EC293D61256351ED28A48FDD5461203C06F8D7EC8EC11008FBE8AFFFC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:52.138{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60585-false10.0.1.12-8000- 10341000x8000000000000000195062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:55.402{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:55.119{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FF32CB7FAD6DE91F16018D15728999,SHA256=0C71EF3BEDF68214E4A8EB66FCED6154E019915101F80D1803E32AEA72EB82CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:51.804{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:56.173{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF2BFDA28CF7B7806697B56BD6F001DB,SHA256=EF6DD50BFFCE16B878F51349ABDE4FC78225A655789FBC462F4B9F160D4DA151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:56.032{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCC37A5B3374C8EE31052A2564F3266,SHA256=5C0B73231059640E1F8157C2AB37071F102F3544A294EDD94C7225F3E65A3319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:57.274{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB5CEC3286D7490239B49BCF6491B10,SHA256=BD3BBFDCBEEE3EFA04178A2142FB0CB126DBC3221B1C6E30802868B89B0398EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9D5-6356-640A-000000008A02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A9D5-6356-640A-000000008A02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.967{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9D5-6356-640A-000000008A02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.968{3A30D728-A9D5-6356-640A-000000008A02}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:57.123{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D925EF72104B9E457EB7D6D5F99C2BFD,SHA256=AB1275EF955FA6BBC4D29A51A2CC5A4D2469B21DD05801A0980AB59556AEE60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:58.341{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6975E3635B2E6C691E65063ED589154,SHA256=23CD5B4127E645CD39E308B32087EA6DA4BA82B31638B0A5FBE3A88A36FD4629,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9D6-6356-650A-000000008A02}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A9D6-6356-650A-000000008A02}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9D6-6356-650A-000000008A02}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-A9D6-6356-650A-000000008A02}1828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.630{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EC1E0374F830BF3C30CE75CEB6F879AA,SHA256=47370E87A19B3D49701AF1A29E1E44CFCA5419306AD4502B22222CDDA9130D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.222{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB96EBA5FAD958AF9CFCFDD8CF6DE7B,SHA256=C7A449EE43DE7D8072E8555C7010C92C958E1D90C60151BB7D0C1FB6D623B579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.164{3A30D728-A9D5-6356-640A-000000008A02}13361424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:58.024{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F8BF675594E9B14C5A30C6A0C18AFEFB,SHA256=3920AED7A7911976EBDAEBEC34D9DD40747105E7C42205A6C083B622C3B6582C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:59.409{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC493DC68A33CDC0757071265B82D687,SHA256=0717EE8A3F15B5D3F5E71DA5398D0CC753DEC7AB464DAD3E850D6620C14CED64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:59.343{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=781BA02F2950B41A6B3B29237315B80B,SHA256=917F898C1FE6DCF6E728B36107CB9C65D943E982740F9C5E976A432E84A75F39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:56.857{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000100553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.417{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.417{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.417{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.417{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.417{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.417{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000100547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.307{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.308{3A30D728-A9D7-6356-660A-000000008A02}2848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.205{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1895695CF782BC584E4FDD1A97354C7E,SHA256=C5576D79E7ABB9CA730D39C0C818E1F62E8BDD46EE8DB26F4B7E5992E83885AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:05:59.194{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D77A384167EE81EFE2758767D94668,SHA256=5E4D6BCE7CBF257ACCFA2025CED1DEEA9FBD2D6817805B35D80CB00975CFA6AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:57.912{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60586-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:57.912{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60586-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000195066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:59.109{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF4DA05D0DC1BC025A881F232551C27E,SHA256=775B3A83E9AD030261B6808B10E88708D4D116D0A3F65F9939282CA3085B58E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.636{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64116C2E6E9A43CC48CA18E19D4123EA,SHA256=BE7557570FBED7D36FAB615FDBEA61D9F3D4C8C7E5672DA538FB361CFA73CF38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.371{3A30D728-A9D8-6356-670A-000000008A02}3772944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:00.379{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FD87C6D2234137FCF12067B084164D,SHA256=65F4CB303BBE3D3D5BC1C696C795ED171C4FC332EBF1713A64FD11188BA787E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:05:58.135{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60587-false10.0.1.12-8000- 10341000x8000000000000000100567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9D8-6356-670A-000000008A02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A9D8-6356-670A-000000008A02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.141{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9D8-6356-670A-000000008A02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:00.142{3A30D728-A9D8-6356-670A-000000008A02}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:01.464{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19978DF9BC27468C04163200B7426955,SHA256=2CEA18CEAFA0CFB050CA389B98C388720185A19A6464C7CEEDA5FAE4B08D31D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9D9-6356-690A-000000008A02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A9D9-6356-690A-000000008A02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.949{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9D9-6356-690A-000000008A02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.950{3A30D728-A9D9-6356-690A-000000008A02}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.486{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BBF2D98868674F783D3F492F57780E6,SHA256=935FA84559F96658DE9D0058B53B431DDFD70341EC0BC42B2A9BBCD50C5823A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.471{3A30D728-A9D9-6356-680A-000000008A02}3403636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9D9-6356-680A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A9D9-6356-680A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.283{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9D9-6356-680A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.284{3A30D728-A9D9-6356-680A-000000008A02}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:02.531{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143BFB23DAC3A6B205155056AF9D4028,SHA256=725ECEC0478C5C1CDA98C2C521FCA58E70B59F7BF8CA9F0EE6C6B776F53A0BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:02.588{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=039AC0F14DC998A497624CB5400DFFBA,SHA256=FC46C0B7907B7F868500307A07E2768D94DE53D0B644F5BEC3047695D03BC44B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:02.507{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=AAE31635E632F3891DBF021AC064DD63,SHA256=3DD0BCF44D85FE1DBB7B4D762E756F26B0F705D53C320A30C7F9E5A82DF8C864,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:02.121{3A30D728-A9D9-6356-690A-000000008A02}1842872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:03.601{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB06541CE9B168E26A6E2EE089188692,SHA256=EEE35DB6613B0763469A9D0C0E43E43AD9D08D426AA86CC1557A20FCA5733CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.720{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.715{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.712{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.709{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.708{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.699{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.697{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.694{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.691{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.688{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.684{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.674{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.672{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.657{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.645{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.623{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.619{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.606{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.574{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.563{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 23542300x8000000000000000100610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.551{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBDB6FC821B5E1C3482D23361C0AB4A,SHA256=DBB252C2AB180FE364AD93F927D856C82C7A0E6280D4181B230892D94ECB11ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.544{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.521{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.505{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.494{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.454{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.434{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.422{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.394{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:03.382{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x8000000000000000195076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:04.652{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4959FC39B5A576A9D130DA97F36379A2,SHA256=3F8D5C1C5E8AAF2438D0081BEC348FBE413AE2DC7A35F8D409856EF9298F6E4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:01.901{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:04.612{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B415D91DC9537D178C0BAAA41CCD2B96,SHA256=4BD321DF990A9A20ECB8527BC72D27DD4BBD0F40309A28CF94D3172D4E681EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.920{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.920{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.920{3A30D728-58B9-6356-0B00-000000008A02}6241360C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.691{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB887920384A68299D9B46E0F078BF09,SHA256=6242EB30FDC464D37D5DB9D6CB0613B7790404F05E4A0DF83366F3E95C2CF096,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000195087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000195086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01469b82) 13241300x8000000000000000195085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0xc1b8a9dd) 13241300x8000000000000000195084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0x237d11dd) 13241300x8000000000000000195083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c2-0x854179dd) 13241300x8000000000000000195082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000195081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01469b82) 13241300x8000000000000000195080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0xc1b8a9dd) 13241300x8000000000000000195079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0x237d11dd) 13241300x8000000000000000195078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:05.955{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c2-0x854179dd) 23542300x8000000000000000195077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:05.691{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05EFE3E396C34945EEC0FF9C2BD06C4,SHA256=3E7F5BFF1401C72B9FC640517580EF6B63102BF0E9BDB5BE1FC29429D203AF32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A9DD-6356-6A0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-A9DD-6356-6A0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.070{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A9DD-6356-6A0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:05.071{3A30D728-A9DD-6356-6A0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000195112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.803{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.801{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.800{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.796{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000100652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:06.778{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D758A1991B3444BA88E775BF2EB9A853,SHA256=A1164348909A73ACD84FEB9AF87F1965601C2FCF602E344F4617D797E90FF9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:06.111{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7526B5DD329FFDD7AD4CC63CFF1B2B7B,SHA256=687F436CF7CD7DF3FB4616E4D43D0EF31A6DBA350C08DC6045617B180D43FE21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.427{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.415{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.409{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.403{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.400{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.398{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.394{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.365{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.358{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.347{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.342{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.336{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.319{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.310{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 354300x8000000000000000195094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:03.928{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60588-false10.0.1.12-8000- 10341000x8000000000000000195093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.296{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.286{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.273{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.265{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.223{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:06.220{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000195114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:07.908{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4FF21AD588A1E79E64F1173FB7F5ED,SHA256=7957A2FA37379F6086C133514A3202CB5D4BCE7D92BE7E7BDD176BA1DE8894D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:07.860{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555EFB564FB78B377A0E994FD043BDC1,SHA256=773461BC5C58CEF229FF50E1238588289EB5BA14B237F5873C8B4DDAEEC9022D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:07.222{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB027EA23CE5F28145B8BC474187D73,SHA256=DFA7D688C8FDD4F0892AAFD164718D6CF7AEF30C1C4FF3AE93084B3DBAC8C195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:08.942{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F45F5887AFAB7B785F06DAED0F1FDC,SHA256=687A9D2EF440C6ED7AF676FC2F9B43A48009DDD07720BA7BA1A661D35271E1A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.816{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.815{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.809{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:08.083{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.960{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706C268CD121D40991218B4F7E8FD873,SHA256=F0821FD97ACDDB94B1C7AAE3DE26863034263819060E2E02E46FEF65FDA06D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.627{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.627{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.624{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.622{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.620{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.614{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.611{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.608{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.606{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.602{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.601{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.600{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.599{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.595{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.579{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.578{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.577{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.577{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.575{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.574{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.572{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.568{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.566{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.563{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.560{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.552{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.550{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.526{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.522{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.512{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.511{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.510{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.495{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.487{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.457{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.451{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.442{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.437{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.435{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000195161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.434{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F64D624950462D6CCB4D0F8E3C46A9E,SHA256=F9777062A298B729FF679A03CDCE7FB53A0E2941318DBE3E476FA79F51C1A695,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.433{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.337{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.335{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.334{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.330{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.329{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.327{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.243{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.243{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.243{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:10.345{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE8805BE655F63A1C3D8F12DADF5B4A0,SHA256=D7D1D429B1D0A39EF9CE91E74A30FFED43639BB36CC7932A8419A9ECA57E1CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:10.022{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A271D3BC33AC8F7576EE139DDC4288F9,SHA256=606A472FFAF8011778B4F0CE347874CF9F6F021EDE76791BB235813E44DCF124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:11.428{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E42C1170832DF8945A20CE743BFB028F,SHA256=8C9947EF12D09A7D3B5961B77D0F1A1AE662B1B316F2BCAEB7B1ECC20AEE8679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:11.105{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C81977D0E6320AD245EA8B355D4971,SHA256=BA649A03FCBA8F0EA6A0B4A1ECCB93BC549B5EC584B8D68DBF40E1C1509FB886,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:07.885{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000195203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:09.085{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60589-false10.0.1.12-8000- 23542300x8000000000000000195205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:12.483{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC0EF57166D579D14A879F39353D5D7,SHA256=848780149C77445E294967DC0CDCCE4B62D1F457D6F58952DA827AB58A388D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:12.188{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E23F8874B2F2A85CE93629C55D27E54,SHA256=51B4E33D4E22666874394D4BD32E8249DBC1EACE67A7E20B05E52C46D153340D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:13.531{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFE5E2E9290B358F68DB96B607E60A4,SHA256=E263F61F13AD3B5C8240A00F9831B90F680C20BF0F4263207CACA06B7EACDE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:13.271{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE150DD93EC575D59F06C546EFE0699,SHA256=AA5F7114C44C0120D6553C42D051CDEDE72666C0AAB533E022E46F4E414FDA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:14.587{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5773B01BD5046128E0BC5A29D28E6C43,SHA256=22ACADCFB62F698C5C1A4AAAEFB0C82795F34D4E80ED9F189CD0313DDD5FE11A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:14.363{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4FD3A8348E2286445CCD7436D19D5C,SHA256=51BC44D5AF13D4AB00FA892DCB1F65F63B75869105049346BCC73A2B62F4D4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:15.636{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A39345DA808E979095370E8ABDED875,SHA256=A9622A45D7CBFE2071BFACC94992815B4174ACBC2DF874C0064C6B6B385F628D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:15.446{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB1B7E58CAEBBBE86065B769AE7BB4C,SHA256=28A956370F1C59647B3E87E71C2840B613D0D5E90C2103060F4D98BB6C7089C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:16.524{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AA8CD5A699B7F66042164E884ED671,SHA256=11E5DE00040AB58289BA4E4EB3FB70A2676D8E2C994B540CDBCBE4F877A2C60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.708{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1443E85822105BAC9F93709D4B2E0C18,SHA256=F22BBC4907975CE0EBB6C9907FBFFFE8CC6904E6B8C0D829CBA1E073A98E2EC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.537{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5642-6356-0100-000000008902}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000195211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.437{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.437{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:14.133{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60590-false10.0.1.12-8000- 23542300x8000000000000000100664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:17.617{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103A8FFD8F72C80A7249116A14FBF1BD,SHA256=2C74A0A328816B487D9EB48A06F736983A747BD90939CC3B6F55A0A898F755FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:17.741{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA7241A77AFEADECF731E270D1F028B,SHA256=C05A61A181E9D7531BD77986ED89ACB17AC5D4F50AAB09CBC9B9D6C72BFF624D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:13.769{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53763-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:17.539{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=769448BA5BB88AA0B910B7D2B2B6E418,SHA256=B0A596BE4858156521C6076C84058B9D6D3444D172C52F8373730E76E42AF6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:18.705{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609A484C7AB6C7450FC031A63C7D0250,SHA256=CE2FE8EE87CEC75B66EF70915248C45B6C30B0F48E49B704B4033A137B1A6CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:18.810{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5681E3E85FC5CBF7D2A71CC546552CF,SHA256=82D8D72ABDA910B7E87AFE4A9C3F134C424B8FD55D07D3269C558F7B4446B5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:18.020{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.431{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60593-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000195221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.431{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60593-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000195220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.338{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60592-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.338{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60592-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.331{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60591-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:16.331{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60591-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000195216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:18.143{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=06E3F6965E19B1CB52C629A501151EDD,SHA256=4BDEEE11157746176296F5CCB9A5B2DFF4396D99BCDE46BBF7A0470FF4DBA5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:19.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E220F3D5CE62E47337DB23B83EB020,SHA256=5C4C6A683816A487385840E42F84DBE94FA78532811BF3F13439EDDE9B3A9B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:19.772{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82090AB9F43E3F20C4AD3557E11D0FDE,SHA256=FF0DDCA2CE0D82E5FAC520E15BE9E19C7A6543C9128EB9B2AF38DECB3BCB8694,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:16.698{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000195225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:20.930{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D825CF3E3246148556968EA5DD2D5E15,SHA256=F0E9716F591451430ECF2215B9DF28989C05FE9297E1041860D44CB7BE3F155E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:20.865{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=841546FD9B38578ABF0A62FD3B0CFDA1,SHA256=D3C18DADE4D64F7597DAD10E73390334E6178A49715606A14F5B99242E708026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:21.982{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6DA50941CF1F4CB794C84AA13758EE,SHA256=94A75EEF255BED1C5705BF27D47DE191E83539F25BE5A3A79913D89CD7686F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:21.950{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE761F1D40E5956F393CA50995C19D4,SHA256=9AC3195D92475C00011088429B4752FCED599ACCBC452E9BF95235D7A632CB47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:20.027{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60594-false10.0.1.12-8000- 354300x8000000000000000100671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:18.946{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53765-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:23.050{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A265576A06C8DA35F905BE3D5AC3D4CC,SHA256=4787CE9E56AB24E93D831DBD5BAD1673A862ABDE920FFB03571470D628F96417,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.543{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.541{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.539{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.536{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.535{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.532{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.531{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.528{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.526{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.522{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.520{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.517{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.515{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.507{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.500{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.486{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.484{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.477{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.448{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.442{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.435{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.426{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.418{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.409{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.401{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.393{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.385{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.373{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.369{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 23542300x8000000000000000100672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:23.040{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0485ABE3612D3305E67B713BCC269182,SHA256=85D4F9D27ACB03E483ED6B1D54DBB5C26BD4E91F331C0366A45CDCD9B0279F90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:24.178{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E8BDE5E063628ADE6B629255A3FE51,SHA256=B5E63E635A38CFFBF434F44C04053FADDD555F402AC656E3DD26A0230CD2F708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:24.106{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A3AC5AB4007D766F7C756A28329253,SHA256=B899ACA6740E5813B9326C61E5B198BC318E1A5AFCA5BB45DD8C3D7435E575A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:25.425{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38F99965E38EA0151DB2BF748117D4C,SHA256=A9A9CF47CFCF7CF51FF3B9759FDED627690BAD4F8E0B7AB534657C2793759020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F1-6356-2D10-000000008902}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9F1-6356-2D10-000000008902}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.939{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F1-6356-2D10-000000008902}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.940{E8723972-A9F1-6356-2D10-000000008902}1540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.207{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AA586EACE9F4AC2CEFDCD306BE37D17,SHA256=76209F7EF4100EA906F6CC7AC153FFF40AD1AD2CB01E26180B5E89996546BED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:26.498{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD66E0775A57B601484386AD11E70F5,SHA256=81B776EC25849AC8BBE85EBB3FDB3D66FE31717F9785603B35EBF4F708991786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.795{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.793{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.792{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.789{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.610{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F2-6356-2E10-000000008902}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.608{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.608{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.607{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.607{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.607{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A9F2-6356-2E10-000000008902}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.607{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F2-6356-2E10-000000008902}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.606{E8723972-A9F2-6356-2E10-000000008902}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000195261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.428{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.417{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.412{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.407{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.404{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.402{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.401{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.379{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.374{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.363{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.358{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.351{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.339{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.328{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 354300x8000000000000000195247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:25.129{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60595-false10.0.1.12-8000- 10341000x8000000000000000195246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.312{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.304{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.289{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.274{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000195242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.262{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FEB8FDE010D36F9F38A77FDCD3643E,SHA256=AC4CFC2CD1A6C7EF4F8720B1267DDB46C548C7E17775003A41890F141E98CF80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.225{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.223{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:26.125{E8723972-A9F1-6356-2D10-000000008902}15409904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:27.593{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D580C4226F7B68E5C848B75352C7FB91,SHA256=5ABDBD0BAAD8A2EC3CBE00B9CA5635AC59FB534EDEDD20224EF56448B7AB2332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.330{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD14535682DE8E0061B7C9DDF1E7A284,SHA256=E7C217B750D6B8E6F5E25556386FD5C01D6B12FC8EE117BACBE096F02BFF833D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F3-6356-2F10-000000008902}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9F3-6356-2F10-000000008902}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.224{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F3-6356-2F10-000000008902}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.216{E8723972-A9F3-6356-2F10-000000008902}4512C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:27.048{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=034E3B509CC2B021415670ECEDE5E7FB,SHA256=A664477449596B27FBFF1EC9DAB683E26979AFC4B368A5A33EB3BFDC5EB28D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:28.675{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A4819A39B52DAFBA8A3B064E23D6F8,SHA256=9A12FD682B4AFD11FC1EBFC3F625407DDB37DD7989B9956C4DF7BE67F636A7D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.826{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.825{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.818{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.733{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.713{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.301{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB8A519C4BB87E6FA5B5BE4AD3A6A5F,SHA256=E998B26D7C0A00C038CB9F8D376F7BDCAA624E7714DB777B06877BD7E254B1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:28.272{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F2EB479DD624A65A8D7BBB910996D788,SHA256=81E4F920225DCF2EE7218B31500DFF0E2EB727158C673F462B9AFB0E181394DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:24.785{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:29.759{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CAF25AB0459C5E46029D3C98DCAA77,SHA256=8B835E6FC16D5D4A23EDEE36109B20550A1AE47C36E8CB1019B6AA9F84F12A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.561{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.560{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.557{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.555{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.554{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.546{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.542{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.539{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.535{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.532{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.530{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.529{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.527{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.523{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.507{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.506{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.505{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.504{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.503{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.502{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000195320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.501{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=65A9E50D014BC25AC0FE1293E37EF7EA,SHA256=B266A8E81778AA542C864795A4C920885DA99065F1DADA759BE984A46AFAE756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.499{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.496{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.493{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.490{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.488{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.480{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.478{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.449{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.445{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.434{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.433{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.432{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.419{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.405{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.376{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.369{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.360{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.354{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.352{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.349{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.346{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.344{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.343{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000195296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.341{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCF79E7E15060096DAB06A242DA460D,SHA256=CA381B90A3918DD8017CF67596742E63B7B6B054FDB5BBEE43D532342B72FFF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.339{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.338{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000195293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:29.335{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000100709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:30.849{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59E55922605F9F5A3E5C5598D330F2C,SHA256=65BE99BD86F3E307FFD0C484353942ED8191F14F2274274DAF171C6C5BDE70DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.669{E8723972-A9F6-6356-3010-000000008902}98406140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.621{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF27DD59ED00F0269FD6D8F1D0BB10A4,SHA256=A61FDA61A2C1C0592C1C6ADE3304379A7642D4897D7F8406A8D0D7A06856C4B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.505{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F6-6356-3010-000000008902}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.502{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.502{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.502{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.502{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.502{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9F6-6356-3010-000000008902}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.502{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F6-6356-3010-000000008902}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:30.503{E8723972-A9F6-6356-3010-000000008902}9840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:31.924{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4481816586A0F552D2D8E35895B1E50,SHA256=D163A0AEF7ECE21D9EDA3ED54A9151C0AF301D5E8DE2B1BEA8DA5F2CCD376BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.885{E8723972-A9F7-6356-3210-000000008902}84288868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F7-6356-3210-000000008902}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9F7-6356-3210-000000008902}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.707{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F7-6356-3210-000000008902}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.705{E8723972-A9F7-6356-3210-000000008902}8428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.558{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFE8E1E1C81738B0C2D9DF4332197E5,SHA256=9B624E17AC00C04DBEB49E32A6ED5A099404C326377B424713FC2C48C6034B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.525{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-347MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.353{E8723972-A9F7-6356-3110-000000008902}89408308C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.173{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F7-6356-3110-000000008902}8940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.171{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.171{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.170{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.170{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.170{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A9F7-6356-3110-000000008902}8940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.170{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F7-6356-3110-000000008902}8940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.169{E8723972-A9F7-6356-3110-000000008902}8940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.724{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A71E62F3FFA7DB5B564A78E1975E60B,SHA256=2ACE22CD1C1E53D92F2A351B35A3341FA8871DCF262D2CFDF028C9A98028623E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A9F8-6356-3310-000000008902}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-A9F8-6356-3310-000000008902}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.640{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A9F8-6356-3310-000000008902}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.641{E8723972-A9F8-6356-3310-000000008902}2260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.609{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EF56CA88D9A9E82E749FEF0F01099F,SHA256=404FF7051247C2F9AB4ECE398719B11810CB03B8D71C9622F651C0CE7A5950CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:32.750{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=49D03B3976548AAEC0D79664D6237872,SHA256=07A0023B8795BF0CBC3F03739BEB0E7909CF77828171C826A4BE9F87EE198BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:32.525{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-348MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:31.096{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60596-false10.0.1.12-8000- 23542300x8000000000000000195383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:33.657{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5F94EE450ADD4B422F4E0B9076113D5,SHA256=0C0B1F9D9BB85A6772452D0EB31CC51AD04863D690F9C0227B694974A2288C3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:29.850{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:33.080{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-337MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:33.015{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70BCAE50BFB787C31298D5922BC0373,SHA256=3E1ED771276870394ED816F9044E886F9E9731D546B3469CA712101C51869E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:34.693{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961FBF4F9BC89025599CA9F623DD7596,SHA256=748009DD366CF63BA8240C666A60BA53C1A8EC37EF784A79E2444BD9B186F536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:34.097{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32826A250DC195368BD99FA20959E3C5,SHA256=CC29C63AEA49F1B6582A0E1AFAD768486C8650EDACFC3DBBABC9C92F40F0CC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:34.089{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-338MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:35.793{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E913A1A325F292A58ADFCBAB5632BCAF,SHA256=772F05CA805C497339528B52E048875E367A11E41FC2C3D6A173D0CB61D4A1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:35.151{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2039F102836C8425A3AB4F950B3910D9,SHA256=8CCB1E07F93478A2F18F60ADCC7086BEDC922D59478358DBAD3D88C864E568B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.945{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+3842e64|C:\Program Files\Mozilla Firefox\xul.dll+38be584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.830{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A837A949B20CE761A07613470A47214,SHA256=CD25202609E91BDEDD6CE8F89D655C56F3AABDA0B26D34070B2BC018B2511EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:36.225{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B47CABE1D1FC7EDB6D9C38CC3DEAA54,SHA256=E208FE644AC08EE126D93E37AABA7F7B436CD8D5777733D681B1570AEF83EE63,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000195388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.494{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:06:36.493 23542300x8000000000000000195387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.494{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000195386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.493{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:06:36.493 23542300x8000000000000000100719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:37.307{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0998A254D62E60405AAC78ECB3AADD56,SHA256=9891980434966A00624E64E6D855464B3920CB602851DFCD45A22EE00825EB29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.979{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.979{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.972{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.286.824365645\323051110" -childID 283 -isForBrowser -prefsHandle 5036 -prefMapHandle 6488 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {491c5cf9-22a8-4ea7-8ceb-01a327c73ce5} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 5604 1ddc118c958 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000195424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.963{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000195398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:06:37.963{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.286.82436564C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000195397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.878{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D6246981BA3678AB34CD5A77C72766,SHA256=B08A3247590ABC3576A3B4E1DE35BAACDF8711801DF78EFA83835FB5DBC0798A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000195396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:37.496{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000195395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:37.496{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Config SourceDWORD (0x00000001) 13241300x8000000000000000195394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:06:37.496{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_16F939A6-F11C-43C5-B462-BE8A86302C43.XML 10341000x8000000000000000195393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.495{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.494{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.046{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.949{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4524D4B1108608BCBFC0EDEA374DEDB,SHA256=3F5F1BA951975D26E295931EBA29D9D0956BF75789DC032CE3891001294A11F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:38.391{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A35A417DED7F5D3A1145368998B185,SHA256=93BD5E0E455ABD1EDBD826FDFBB90533DEF380500D9BFB17889D4A30D909A0D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.052{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60598-false10.0.1.12-8000- 354300x8000000000000000195460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.965{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60597-false104.244.42.66-443https 354300x8000000000000000195459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.844{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51492- 354300x8000000000000000195458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:36.841{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54269- 10341000x8000000000000000195457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.353{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.350{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.350{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.316{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2CF9C5105D9B08371A0280FB62C98F37,SHA256=12B43D0EC1F3554FE21153D2509665C0ADCF7629427840C36F070267E6867954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.265{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B2BC0D4580382921F1016B27BF5778E,SHA256=B01FABA9779E29BC3E32ECD870AEB5844AD00CF5E718D1F633600C0ACEAAEAE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.261{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000195451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.261{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000195450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.261{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000195449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.261{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000195448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.261{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000195447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.260{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000195446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.063{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.048{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.048{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.048{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000195442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:06:38.032{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-282C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000195441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:06:38.032{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-282C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000195440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.016{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000195439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:06:38.016{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.10442904713830176206C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000195438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:06:38.016{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.10442904713830176206C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000195437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.016{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000195436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:06:38.013{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.286.82436564C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000195435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.997{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000195434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:06:37.997{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000100722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:39.469{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49865C3F581547C07F193EB2AE953DB9,SHA256=3C84F43920EB3A1E023C21874D6075DED4EBA5AA0E89DA34CA3CE222B776E1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:39.450{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51F2E71D6FC6755FBA1683D67E55C16A,SHA256=7E5B8FF1A31AF70C17A3230D7B004FB78AC10072CE6E3629AA4C67BF4997B972,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.240{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60600-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:38.240{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60600-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.386{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60599-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000195466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:37.386{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local60599-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 10341000x8000000000000000195465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:39.181{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:39.181{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:39.181{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000100721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:35.863{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:40.545{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547164277E0C373B5632E084FC478CFE,SHA256=267DF8201595FD300BADE0ED6955BAE3CC7B5FC2B977F0FDA980764011F0AF0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:39.071{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60601-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:39.071{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60601-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000195471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:40.020{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0343C1ECE2F2D9B9903428FBA3B45741,SHA256=877C5819C220819A91AAA5255036050023830C457E4DAA7D4B4E6F5D382D0E82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:41.617{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AE1634B28EDB1C7BF819A094759FED,SHA256=84A3AC4205010E146191567115219F614FF6B0FDF84D9344C14AB4A62AAAD9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:41.139{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D00F87B6DCA8A37E63C257F0DEF595,SHA256=4EFBD3FA0FD2A30C8C2293A2955458C8D66FB048DF22C36FC60EC0400E2ADFE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:42.707{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F34B45C43C3056518C8D8864D088D92D,SHA256=E9A8746CA87B77A2641525224279189ED293F56A0041EB019EF8107AD14813D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:42.204{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3856A7979505980ABEE338D6A0C3BAE4,SHA256=DA9CD1AABDB28E9EF3A2F77B2EB7683DA2CF4EFC5C39636C751E1005FCFB63AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:43.259{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D309030CE3351E7993933684695F383,SHA256=CF6CB1001D20FB80BBE311A0321FA4CF5B0548DB409BB9638564528E2986F8BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.608{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.598{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.590{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.584{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.582{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.572{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.571{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.569{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.567{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.563{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.560{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.556{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.554{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.540{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.523{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.500{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.495{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.487{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.456{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.441{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.432{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.424{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.415{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.409{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.397{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.389{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.379{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.365{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000100726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:43.361{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 23542300x8000000000000000100755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:44.182{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24899F9089F99BB79A777A4BB7940AE0,SHA256=8D965189B7A41678B7856521F03A4AF2E8CC36A4817E11C80AAE17CCFBD56D5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:42.112{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60602-false10.0.1.12-8000- 23542300x8000000000000000195477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:44.296{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7979B84199C52884BBDC17AF6E0587,SHA256=BB54FA764B0A9C93546FB3F48C75B69CB6217097BC2BFD50A3E74053033D615F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:45.360{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CE02635A5DD532C1761B5D4ABD1A5B,SHA256=0790125B0AE2B34C7DEE468AA7781EFEEFCA667BD5021A8284AFDB9DDD67D147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:45.322{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4AE6B1DB48FBCFE35CA5F412AA1779,SHA256=827D11A1EA5EA5CDB74D7C1114585FCC1F7907FF94BD629B028E64BEC37E48FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:41.847{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53769-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000195505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.843{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.841{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.840{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.830{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.401{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.390{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000195499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.389{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F7B09C8A986276F154384A4AFD08CA,SHA256=C8BA2258775B108DD652BFC88003707306C46E61F66B5B14A7F0802BA7CCC43A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.385{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.378{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.375{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.373{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.371{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000100758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:46.401{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7042041FEC261C001D9559360EF71F,SHA256=F0616F668C17F958031C5126F1262A486C084D0813CA58A5CFA2C5038C766971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.348{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.342{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.330{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.325{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.319{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.310{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000195487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.307{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.301{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.290{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.283{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.275{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.266{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.224{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.221{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 354300x8000000000000000195507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:46.180{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60603-false10.0.1.12-8089- 23542300x8000000000000000195506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:47.431{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A142F480B6779BE45661527B82164610,SHA256=2C499293A29E78B11AEC26EF01F59428AA10176471765A5FB12BA5305E32B105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:47.472{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062C30915467032B961A34D70ABF2751,SHA256=42CDE0DC54415271EF5B2D81797CACA14F6595A154BBA6128779A956C27AEFA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:48.856{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:48.855{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:48.849{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000195508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:48.512{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431DE519E34253404A816A9C17FE8E17,SHA256=C8FF9DCACC7C93C355A34D25B31C2F303B46B389A0364A8FF3F15C9B93CAEEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:48.551{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620C68CD3B003DC251E00B97EE972765,SHA256=A8864E783753105F2AEA9B0C47F441C9C7ABED1910271CBF1C2441B7B68DD887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:49.640{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D29797A2FC131DB6945F9F63E1AE1F9,SHA256=FDB56E5D4503DB8934548BC15E9E1B6863C055E4912F00F9BE8FB8FF8D59A811,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:47.954{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60604-false10.0.1.12-8000- 10341000x8000000000000000195560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.586{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.583{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.582{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.580{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.577{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A878-6356-FB0F-000000008902}10160C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.576{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.568{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.565{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.562{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.559{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.556{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.555{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.553{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.552{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.549{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.532{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.531{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.530{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.529{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.528{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.527{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.525{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.521{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.519{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.516{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.514{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.506{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.504{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.477{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.473{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.462{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.461{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.461{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.447{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.439{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.406{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.398{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.388{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.384{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.382{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.379{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.376{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.373{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.372{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.369{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.368{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.366{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000195513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.080{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2A33F4AD3D541D32BB8213868876B929,SHA256=D46A2C7A48908D81E8E4399319572052388E2191FAED409D32F830F23F9A69E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:49.080{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:50.831{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7475AF9B5B66982AF7642A1BE4C3CF8,SHA256=5B0953FE41523CF868D1F14544F15D3F0E4564055DB75B9460C485F8C8AD6C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:50.598{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94DB9C30214641BFF5C5C3E154CBC5E,SHA256=A3E19C55B7D955A6399591BFD294664447CABF537E5651C23F62B51B7A043CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:50.031{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A03555AF05F517290BF04336B25953A,SHA256=CF2C4D962385779A1C0CCCD22CE2DDCBCDCB935D9B11B3050B59FE1B5E7A4FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:51.925{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BE2CACEA269B60B7F9B64B52E343CF,SHA256=24F17885BFF0A3C59049B61CB8BEBF69B7DCB3AD68B647BEAA4C0E7921EDD9A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:51.669{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2C6924FCFB562110C32519407F12C5,SHA256=07BE519C1189CF1ABE50FCB96A3BB891DD5B220407719845CAF3F1DC7B3C9384,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:47.754{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:52.707{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64DE0D7EAFA00444F9204CDFB82BB7E,SHA256=B6F604EE43D255A6D0FC60BB7CF1DF30E62C07B843EA06F68A59D0653CA17578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:53.786{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398C117DE36CC1C67325360574984C8A,SHA256=B2CDAE696CE04862DF277551168A5DD732A522624315D0E2C05CBC50EF710D4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:53.015{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399A5B76B5A7998F31423F19272A9DC1,SHA256=A3C4DB8288F971C6B0EBAFC35F0212032DDA5C3A725C3F5C857AFF9D339228CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:54.857{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B222A31BCA1FEC0DACC8EA585CEEAD84,SHA256=A556E42739B2D5864C914BCDCEAB2C95F1F3D07BC59AE6331ACE7CB666881A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:54.107{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561CD6B17413B328CEA7D187CCD16D21,SHA256=0973CA64D3F6A6F65101D4CB26A26CE46A8335AE2E23B6EF9D849F691AD1E874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:55.904{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAEABFB01F8C433A8B53928E2F20D65,SHA256=1E75784EF0DE97FBE5F522F91DD3CEC6FCED18304FA90F0713A80A55ACEB89EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:52.817{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:55.201{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77222C670D606DC0A36AC3EE89FB1999,SHA256=E49B3385945E5BFDA0B0B4FBABEAC27DA11B7960CD782FA51A2B18391F97886C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:53.962{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60605-false10.0.1.12-8000- 23542300x8000000000000000195570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:56.974{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5097CEDDB7CD71EF84D4D17811770E37,SHA256=6287C228B01876763D5CEE1B0B55345B1127DE99D95DD4CBCA54FDFCD23707FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:56.280{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A56DC1DB36AC28DCDEAEFB01FB3104,SHA256=492368E31F473ED755494CE25C6AC0611C25C62ED597213343D7FC8BA225216A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA11-6356-6B0A-000000008A02}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AA11-6356-6B0A-000000008A02}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.964{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA11-6356-6B0A-000000008A02}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.965{3A30D728-AA11-6356-6B0A-000000008A02}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:57.383{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF4AC8B9150E23BDA9206AC045996F3,SHA256=E93A48B6528B14B50B0AFA03DEBF3A1D21E89B311D4D4FE9F8B7916EE1CB2960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA12-6356-6C0A-000000008A02}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA12-6356-6C0A-000000008A02}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA12-6356-6C0A-000000008A02}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-AA12-6356-6C0A-000000008A02}3656C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.638{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CFEBD8A940B005C87FF581FACEFA8C9B,SHA256=45797216E5086CC133BC9501CD6D472E58E6D37703BB306F3C7FF67D834C88FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.588{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3E14B7225A4215EC6EC99CCB9C00019D,SHA256=C3ED5E7634FFD1A147E17A4EB5E944253768A5D41CDAF9724D7E152489EF1C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.454{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6703AC876C506B99174F1FAF7CF1B06F,SHA256=1DBC23BA6AEBF816F0896D97F34CE5E75D357171CD38A81CC50C41964C9E4F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:58.059{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5FE92429170DD2F53BD54E3D55F46D,SHA256=2A248F39B32298AC622E5AED39B46893EB662EEAFE1B78911A46A2AD6D19B456,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000100793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000100792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013dc926) 13241300x8000000000000000100791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0xe0ed9a49) 13241300x8000000000000000100790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0x42b20249) 13241300x8000000000000000100789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c2-0xa4766a49) 13241300x8000000000000000100788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000100787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x013dc926) 13241300x8000000000000000100786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b1-0xe0ed9a49) 13241300x8000000000000000100785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0x42b20249) 13241300x8000000000000000100784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:06:57.995{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c2-0xa4766a49) 23542300x8000000000000000100825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.667{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43BE89C467D1AEC29082AFED8EC9A7,SHA256=5108585ADAF2AD462CD9417CA18700664760F8C94D442549924013498A6A3D9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.469{3A30D728-AA13-6356-6D0A-000000008A02}11003952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:57.931{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60606-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:57.931{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60606-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000195574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:59.593{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2DC27DA9EDA2D61BDE39E9BA40745EAE,SHA256=B2EBE48AD84A31F39D5BCB1901C5D8354F11A6EEBE89DE5289A8C3B69AEAC906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:59.107{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7A27AD27406F7663699029F6537136,SHA256=B40DC4EA0070FE9C367078DB54FDCB0605573194AFFE7680351A23AA8D7ED68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:59.076{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2F26322D785F767B80EC534A9519C35,SHA256=944D4D417F472ECCFBBBA0AA0739A4DE625FDB05E003396E5C493732FFEA2D84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA13-6356-6D0A-000000008A02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA13-6356-6D0A-000000008A02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.313{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA13-6356-6D0A-000000008A02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:59.314{3A30D728-AA13-6356-6D0A-000000008A02}1100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.997{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC3E75C8593C7A7016ADEE7659961BCF,SHA256=9F964BA53E5CCD1819150C2E6D29C6C9183184207E47C24212D8E127B61CE446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.510{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF73C68FD14362A09EBACACA5B7ECEF,SHA256=552A8F2924C3016BFCF9967924A616A1FF6A305DC0F0C9E0DE320C1E9FAF1874,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:06:58.967{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60607-false10.0.1.12-8000- 23542300x8000000000000000195577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:00.178{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F13A75101C2F984E1AD8874BA970F7,SHA256=F3EE9C772517D0AEA6020BA5A7AE6EAB3B46658FD16E36D6D51F6869412764F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.338{3A30D728-AA14-6356-6E0A-000000008A02}27761072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA14-6356-6E0A-000000008A02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA14-6356-6E0A-000000008A02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.140{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA14-6356-6E0A-000000008A02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.141{3A30D728-AA14-6356-6E0A-000000008A02}2776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000100828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.000{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.000{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:00.000{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA15-6356-700A-000000008A02}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA15-6356-700A-000000008A02}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.855{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA15-6356-700A-000000008A02}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.856{3A30D728-AA15-6356-700A-000000008A02}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.592{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040FFA2EEE38839C6988473BA570E9A1,SHA256=043659F80AE7DC8FCB242070AC2025FFB7C4F9A5DCDB6DC449168975BBA72569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:01.245{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F848A950BB3DDB156BA863CC100298,SHA256=432599D90DE076A533F9D44B56EBF7D121DB2243762238DC40CDA2612ABC659B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.436{3A30D728-AA15-6356-6F0A-000000008A02}39843928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA15-6356-6F0A-000000008A02}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA15-6356-6F0A-000000008A02}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA15-6356-6F0A-000000008A02}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:01.280{3A30D728-AA15-6356-6F0A-000000008A02}3984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:02.694{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540AEB476EE3CB9AFCFC11ABA48421AE,SHA256=C44F378121EF00BBCE36DDC9FCA52FA25E00E47F2B91B0AC99047A080206B720,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:06:58.802{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:02.367{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4AAA94087974C124860FB15D539E86,SHA256=AC9A7DA676E77323B0664729D7D1AB056E652AD033604E8EEC25B7BF329FD53C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:02.136{3A30D728-AA15-6356-700A-000000008A02}38843132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:02.090{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=34F54F5DEB5BD2B706518830914C45CA,SHA256=F4B58D5A9C06BAA108511EACE804424A0206F642D4212B56FEE43FDE12960ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.934{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4E74B7A47EE25F2968AB81B14FCEA3,SHA256=15F80FA1B99AAB3A68BD34B83E037C51847596FFDC658C8D4CD5C2A0AFE98723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:03.424{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79235DE8805E70BEC16215B164BE6C0D,SHA256=ADF1B64CEFC8888C58F8E0A14E2ED0F0BEFABCADB9F9A5330E078A0908E5C3CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.616{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.614{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.611{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.605{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.603{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.599{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.597{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.594{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.593{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.590{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.587{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.583{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.581{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.569{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.559{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.542{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.540{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.522{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.489{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.482{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.465{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.452{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.425{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.419{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.410{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.403{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.393{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.386{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000100876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.382{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000195584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:04.667{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:04.667{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:04.583{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9422ABD0D146FA5B672225B179DAD3,SHA256=57BCA541D31EE84B208DDB322308ED5FA755258A4E18B0F9B79D3A2ED1053819,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:03.973{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60608-false10.0.1.12-8000- 23542300x8000000000000000195585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:05.634{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6F17222990A588C50655FCAD03C508,SHA256=6ADA4B47B9B533E9BC91A18816AC97C81BD5B6E716915CFE629082C53BACF236,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.933{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.933{3A30D728-58B9-6356-0B00-000000008A02}6243116C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.913{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.099{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FCC58E3B2D372FDBB5A5FA0EECED2A,SHA256=EE211236953C7751BE0DEBA67F76C91F3DFA4E113C5035586115FE254FD331D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA19-6356-710A-000000008A02}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA19-6356-710A-000000008A02}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000100908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000100907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.083{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA19-6356-710A-000000008A02}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000100906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:05.084{3A30D728-AA19-6356-710A-000000008A02}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000195611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.917{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.915{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.914{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.905{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000195607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.684{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1466122DC036E02F7C137FD53C71E,SHA256=5A4083D310064B1DFFCFF20BB0892DE541756405165825327699DE9A6D836152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:06.159{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FAC7C71CC038C12EBE9AF4E01FD134,SHA256=13F127BB144C2D8CBD1F6AE648DCCFC5380B6DC38BE6A3060634314926B63238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:06.159{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36B5E45C5C85B53142DCB0FAF40C9A8E,SHA256=E21B340F9A1E20AC4D18AEB87CDFB9262FCDA24655CDD6638D6978CA6EFA3725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.437{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.425{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.421{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.415{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.412{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.411{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.409{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.387{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.382{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.370{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.363{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.356{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.344{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.335{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.326{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.320{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.306{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.297{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.234{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:06.230{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000195614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:07.706{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6027F5D2E1B033504A15F8AD291645DB,SHA256=61D312EAD4D7427A5CD75ADAAFBAF3FF4C65C447351C53C67F441C7A8BDBE997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:07.249{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588E917B97CC3FC0431E331706DDE41D,SHA256=30C476FA5A9FEEF5421291E63764F3F388F3255B26CEAF7E889DA91B7C57C5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:07.036{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\cache\caches.sqlite-walMD5=EFB62B3CBBEA2C3182D0AE530C4CC939,SHA256=31B30FED4211A3797438F33A518F0A4819F6F6F726F26D62A0478951E65C88F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:07.036{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\cache\caches.sqlite-shmMD5=6F94A400E5C7DDF69FD698A3276CC234,SHA256=5C3FE416E24D71706C279FB6675A43CFBD50586BA1FCA060DD9ADDFED04D32E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:03.943{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000195618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:08.966{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:08.963{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:08.956{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000195615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:08.772{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3B605926222FDE4E1D4EE983192037E,SHA256=8C0D0659D041F8920DE05F6024B8E667C6AE55DC48D0FC45AD7B40728EB0ADC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:08.340{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C65A1F07FC4FCFCD0EB99DE314E1FD9,SHA256=A7E049E407EEFF7BBAF056150940C939730E4833D32E9CA0CE4FEA4DC23A5910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.940{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA455A74F001CDC724DC631BBD72984,SHA256=28E86975092E5379320EC3DB0F954D5C170FBD44FEDF895E37D490FBDC420782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:09.428{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C061847162CE63E63BDD918BD5F92C,SHA256=D3D0C1BADD9F9DC9AAF094F1C1E684DE66F5731C6CDDB76E241881DCFEE1E5E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.727{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.724{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.721{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.718{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.717{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.709{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.707{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.704{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.701{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.697{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.696{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.696{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.694{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.690{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.664{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.663{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.663{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.661{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.660{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.650{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.648{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.645{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.641{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.639{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.636{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.628{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.626{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.596{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.593{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.583{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.582{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.579{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.566{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.558{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.523{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.512{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.501{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.494{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.492{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.489{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.486{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.483{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.481{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.477{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.476{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000195619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.474{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000100930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:10.511{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68DFE6F3822732265D4842E2C771F5C7,SHA256=4A4ED90AA3B8AF43CD142CAF06375E6C4D5E788DEE023522807D0CC7F45E8994,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:10.056{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:10.056{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:11.604{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3498ED2C2265996775753DA8EA7780,SHA256=C543C5F1CAC372FFD05AEA56A85190AFC3EB5A7D175D77AB32C9A736CB685914,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:09.946{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60609-false10.0.1.12-8000- 23542300x8000000000000000195668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:11.022{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77F7426D10644614AA1375B6CD5D58E,SHA256=4E0BD72A3D7F5D04EC5EEED7BEA5E86EF0CB288F3CE052BADD1AB7FE021D958B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:09.922{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:12.702{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C4F6A4EC50351A1CC5DC54FDF0FBB67,SHA256=DD4CCB0350979D9B914710ADE7FD01BBEBB455759798E781246F25480ED71B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:12.077{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1189FF55AA84AC2A8879B49FDDD0C4,SHA256=50CFFB892EFC24ED3EA3AFC9CA228CF79153470E78EC85FE28FCD6A65E1D6464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:13.783{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A53BF82E1BA87F290AE52E61B7FD397,SHA256=B1AF1628151267D96544A3C7CA5A898EA1ED1F6275052896D35CDA6586B135FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:13.226{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D681D0DECD3DACBF1E9C69DC76E5BC,SHA256=5CA4273ACFF20797F2E25FA0F43AFC3F145A21EC1D0A601ED0BEF3211C750468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:14.863{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E020C6DA6E65FC9E422E3EFEDB51881,SHA256=136EB76FE999CABA995DC920D83203767DC7C0ABBD4611474CCCA6F19AAE61F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:14.326{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700B94CECF3FF3A77CB787E3C381F8C7,SHA256=1784C9B4985D5D62F712F90665A6E4DC668623936ADF3AE30F51FB123CF347D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:15.948{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C4A0AD1874502B103E9873993F5619,SHA256=C21B7EF6259ED939239911FD9232E66842B2CCFF6A5C25626CBC6DDC2DD2BFBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:15.361{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92E3A34B694E3FBC5F30C1DC675288D1,SHA256=193D6B281E7316B13AC10A2C0584D2B0FBEF788B108F83D110A44C0CB7783684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:16.383{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD428014AD6C6F8A213F6402537618B,SHA256=4AD6C454B6B206045CAE17D556A09DBCF985C75B0DDEF6E3310F53F5EE69A092,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:15.934{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60610-false10.0.1.12-8000- 23542300x8000000000000000195675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:17.443{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24EB70CDFD47DC36C22BB724FA896AF,SHA256=F8D645C7B38530774A03979D2DD23A24C3D1A380816868F55005F97B31D661EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:17.024{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CDCDB688B5B6F1E4F801BF642D98CB,SHA256=C331F8974C5E8C9A615C8271A4FD4AA2FFBEC96D4C48E9CCB7CD244845C12E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:18.499{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=918BA3C08CBF973BBE86A8BEA8FB9129,SHA256=686C8C1DB793974FABA8FC37C576F4EA9B1F309AE9FFB2BDEA4BA9113B9390CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:18.100{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B4FCEDEE3F123AC654210A61CE133F5,SHA256=74AB0DC551F7D2D0C0E422D4F0DC9E946D636D680C4E7D296F07A188DA3BB974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:18.054{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:19.548{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40BEF262EC68E94CF38EBC7998E0FD0C,SHA256=0E214AD816A271F429AABA49D0F6E35A7DF39EC65506D83B9E89DC12CAD6648C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:15.930{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53775-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:19.073{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FAAB2958403D0EE87DC484D2DF6DA1,SHA256=C319F270164E2166A736DC804D1FD5ED6D55DCDD2625E52A231C2A2FC46300C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:20.601{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BCF530FCC385C098B922319FD227874,SHA256=1C3E572D1F6040E43013BCF1B565BB73276AF317F4AD3858BD285B99A8305EF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:16.720{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53776-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000100942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:20.150{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D4CCA2E264026150921C0A9A9BF5F1,SHA256=A5C0D843B695F5399BCDD6456FF5E72F3C8F6A91A3388AC781852D0560FA8688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:21.618{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84B08E65F0C32B52BF60AC3F05509BA,SHA256=E23991B7818D2C7D2595B6857D0C6DF60728F323A32B76340A6519EA3B8D265C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:21.230{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441BB6DA4DD4155A0CFEFA457C7524D7,SHA256=A628071393167D26BDB3696D6A0CABFCAA6A9D0B4AD0DA278DEBAC660B8CCE8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:20.939{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60611-false10.0.1.12-8000- 23542300x8000000000000000195681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:22.690{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136E0306D66FCB5B3BA08158DD175BF9,SHA256=533DD0E1891E9FA49D19C100A2B92B75C2BF55B754B9F855B83A3C85748C56B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:22.318{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05854E40DBE48F6EDD700147359F5D0C,SHA256=D247B9C8B2F228BC13ED395A359345E6CDFC73F9CDCE40D3B25121BA973BF2A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:23.740{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5F148857E34116171B79FED4151EF1,SHA256=2223E3462C8414F0114901F5ABA62A43600CBAE2D51975F12DB1D92030B1D357,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.632{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.628{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.625{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.619{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.618{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.611{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.606{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.603{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.600{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.598{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.592{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.590{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.579{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.568{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.535{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.531{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.522{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.481{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.467{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.460{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.447{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.438{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.426{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.413{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.404{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 23542300x8000000000000000100949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.402{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=314BFD16246731889A69786F8A4C0291,SHA256=04D41091315FA1BC4F87D3D7EA59C271960A4B78AE4F9FAC905D804B4CB51B69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000100948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.386{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.374{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000100946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:23.371{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 23542300x8000000000000000195685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:24.807{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A14F3AB83DE45EB8EE0F9D8ADA111D,SHA256=D7FF3AD6C6C24F10CFEF4DB3531079C2FED488718A347370D2418ECA0CBCED00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:24.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3656203FB79F86403ED851045C9130D5,SHA256=7239F604209E11291439531407F6119D768665E66B3EB1E24503C9C0EEF1C884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:24.724{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF147cf30.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:21.792{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53777-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B87326FE905D8943D46556533694C6AF,SHA256=4809960D72B87768A4FD2765548DDAF00705CF373977F0E5421B3C1BD075346C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA2D-6356-3510-000000008902}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AA2D-6356-3510-000000008902}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.858{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA2D-6356-3510-000000008902}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:25.856{E8723972-AA2D-6356-3510-000000008902}9808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000100978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:25.790{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085C75182439EC14FD0F2A9F0C28BF1B,SHA256=AF5007B5256419E38A9FE35FB57157602AD688CE14D036958FC959FBBD49EF43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.901{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8443B13B949DBB5E4C7910DC574E9FA7,SHA256=E694C466756C593016FEAE39D8884C8EE1859C9A5E2B6512A82C80244D0D7DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:26.865{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5E01043936B55192D66C2863D689F5,SHA256=D0684867090E5BC8625276828F840D9F958676A871EF9FC8F65B256923CBECEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.838{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.836{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.835{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.832{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.749{E8723972-AA2E-6356-3610-000000008902}63569404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.535{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA2E-6356-3610-000000008902}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.533{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.533{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.533{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.533{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.532{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AA2E-6356-3610-000000008902}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.532{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA2E-6356-3610-000000008902}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.531{E8723972-AA2E-6356-3610-000000008902}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000195714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.423{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.411{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.406{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.400{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.397{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.395{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.393{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.366{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.357{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.343{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.337{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.331{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.323{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.314{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.304{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.297{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.288{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.278{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.236{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.234{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000100980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:27.945{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB778AEDAC753F70C4FF3B2D0C71DED1,SHA256=5BE0535186BF68501D21DD83E8C956EA60D9B3EC365B45A5D20D2D8C7FBF54C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.142{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000195739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.142{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.142{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF147d8a6.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.052{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA2F-6356-3710-000000008902}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.050{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.050{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.049{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.049{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.049{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AA2F-6356-3710-000000008902}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.049{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA2F-6356-3710-000000008902}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.048{E8723972-AA2F-6356-3710-000000008902}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.047{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA35DE1493AFB213C26AE8E11666C824,SHA256=A1B36C09F72BDA4864C40C35C8EAFE3DC1514FF44A2A97F85E2DBF48464E73DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.868{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.866{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.860{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.731{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.731{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.731{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.713{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.277{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=527A49254A0EF811B19CD3FEB5D2571C,SHA256=69122810E281E0EB6D4205B2EBBC20DBA7028236B543F919E557CFE835DF4ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:28.095{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:26.134{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60612-false10.0.1.12-8000- 23542300x8000000000000000195741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:27.995{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C233CB1862C94903344E723BA5A724A2,SHA256=A33562317E7AD7B77BAF23A4F6E8B948435B3A0995929466E43FF7C7F4B436EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.882{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F0317738C7965EA7DC7375426BF92307,SHA256=A112E4283C68A23422AC364F24054413E9467E761D87CE6393C2F3DBB472A4E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.619{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.617{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.616{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.613{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.612{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.600{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.597{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.593{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.590{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.587{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.587{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.586{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.584{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.580{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.564{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.563{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.563{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.562{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.561{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.560{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.558{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.554{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.552{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.549{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.546{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.538{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.534{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.506{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.501{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.489{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.489{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.488{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.473{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.461{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.423{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.417{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.404{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.399{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.397{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.394{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.391{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.389{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.387{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.383{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.382{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000195753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.380{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000195752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:29.081{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0499A5058B9A81FD8E8D62F364ED4BD,SHA256=FAA0B4618151341744597D7AFA5A8BF688B7C8644C311DB2A9B0974833F98E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:26.906{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53778-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:29.020{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B41A3F293E82CF05DC23C2A6E9727840,SHA256=7A9CB27825A6005132285B1F8F690E27544416D8C5EB9EAE225D9667CFC4EE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.622{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=42B8DDA42F2CD05E96CAC00339CFC39D,SHA256=53FE018A923E2A42BBE3FF7E9227B248A053AFBE285A5B7677B9E1029074A6C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.622{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=BA1CDD5FB12AA945AA66AD0D26D55583,SHA256=4011171BBF3CD22B349D88AA607CD847C90DC1D21F6699A973C0886A8CDF969F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.621{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=0D48011C8B277BEDBFA6A8DDC1CAAE43,SHA256=03CFA556D1731CF6FB767E5B2BA2C8F9AA97A73BA7B800D58E974909A832753B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.530{E8723972-AA32-6356-3810-000000008902}53487588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA32-6356-3810-000000008902}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AA32-6356-3810-000000008902}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA32-6356-3810-000000008902}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.364{E8723972-AA32-6356-3810-000000008902}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:30.363{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C79BF0D1DC248ABCD4F6DE3FAAF8245,SHA256=0659C2EA92DA9777FEB0106CCFCD6821F93F34557DF920827B83909AB8DB7BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:30.115{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B2F223FD62C54DB6ED6083452B979E,SHA256=2A458FD46D9AD7089871B1407445CCE0C795D9E4DFBEE6B1AC094EC6E35238E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.884{E8723972-AA33-6356-3A10-000000008902}67124540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA33-6356-3A10-000000008902}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AA33-6356-3A10-000000008902}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.700{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA33-6356-3A10-000000008902}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.702{E8723972-AA33-6356-3A10-000000008902}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.483{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E05C681B3ABD1B602F9D7AA0BD1F6D,SHA256=98F372D6C6F6C970961D4DE3703550D08396E207B8BF65D9D223AE665DFA999F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:31.200{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E2E7992C238E7B5B0EACF5B2D072B6,SHA256=8FA47572573E25F05AC8915233DC908C0EF26761AA57C021959267CE385DEBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.214{E8723972-AA33-6356-3910-000000008902}65007796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA33-6356-3910-000000008902}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AA33-6356-3910-000000008902}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.030{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA33-6356-3910-000000008902}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:31.031{E8723972-AA33-6356-3910-000000008902}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.732{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0350316625297E6000A33221B926F255,SHA256=1C8270BBF5D5EAF0296110EEBE118406C19AF1CEF28BBDB113F7A7E24D8AAD8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.638{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA34-6356-3B10-000000008902}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.636{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.636{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.635{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.635{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.635{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AA34-6356-3B10-000000008902}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000195834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.635{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA34-6356-3B10-000000008902}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000195833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.632{E8723972-AA34-6356-3B10-000000008902}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.566{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE5BF5627113A8CD5C299C0CE139BD8,SHA256=1C976B3F006085CDB929AB6536ED8307E51F94FDAD3B90434CE01CE542EAE6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:32.307{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C9FB00EA11D34DF3C08E150960A81C0B,SHA256=32211A381A18569BD3F91057EFFB2A06269614771F8F78A1B1FF00DA1C31D362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:32.274{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E662FBB3648B8FD37D657E64DE2E85,SHA256=CED9DA75FCD3EC1E0FB043ACB11F0A1CCBBBC0551817088E891CE7E6001D3991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:33.654{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8564D43B22E57BE4D1DF8447966596ED,SHA256=C11A8CB81CE20727C323B0ED54888E97E1C8E2CA501258C79B56215A228AC090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:33.366{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D3886B457C2289818221E48AAEEEC1,SHA256=33CCF620A7288AAD1CA6A3645BF4EE13DEBAB24778982F28570707728F52F54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:33.050{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-348MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:34.610{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-338MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:34.456{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E01D5BB9586C353400AE46E4F0EF47,SHA256=5F3B605F01FED8B7E6EBF75297E2299F49D2140304D4D930536CCE90BBF2C9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:34.734{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FA36BD1BC3E0053D02575B88548462,SHA256=FC75838C8D548CF6C0868527B498DCBE6A87971B8ABE4EEF00D614BA057EFC75,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:32.009{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60613-false10.0.1.12-8000- 23542300x8000000000000000195844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:34.050{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-349MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:35.785{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73208DEBA661CAAEF8F54B089A3225BC,SHA256=6DDB8089E89BBBCCFF62F7C82A769C48D5B88FF5EDB6AB79A42847FC3F96F800,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:32.919{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53779-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000100991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:35.620{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-339MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:35.515{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9575D4E92487ABA97AE1FC7C76230E45,SHA256=E62C3F7CE0EFD077C14D08F63DF9AB1A3AF1594B83FA38507CD4F0EA5314CB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:36.937{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45AB17166B6FB835BC3F0D86A7766F9,SHA256=E1364368445F2986690EEE00F006F9DAD47B2BB3EBD518415305481364AAF60C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:36.581{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DE811D886CFC53BB89C73B10D8F9B63,SHA256=CA550C74C2491BCC186314876FC2ED5E4D159415DD606FBD21DEB20288EB1D90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:37.989{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A79A835AD784B0C1B1EF0884DF1CFB20,SHA256=8B5FCC4DEF4B92F6F962D1172927B73B895CF2B58B6C6426C74DA3B24EA798BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:37.655{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439D3CDEB18B92495A7502E4C681A7C3,SHA256=A874FD937917A408B59356ED359AB339EA434BB335E235AA200E789C2FC058E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:38.723{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD33EB2CF4DBC4A9CEB9ECBE2512779,SHA256=55497CE7A1A486974A0F1393E7DBD19778328E2A1267AC1EC1B2003DF10449FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:38.389{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A8AF-6356-0610-000000008902}3336C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000195850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:38.389{E8723972-5646-6356-0D00-000000008902}9124748C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000100996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:39.801{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F53179ACB6001660C6E1CD0472BA529,SHA256=A8CDFA6BF0156CBE3B98B9CE23737C2166BD63E93D531F97209DDB4B868D19F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:37.930{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60614-false10.0.1.12-8000- 23542300x8000000000000000195852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:39.039{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A18A380BBCE9FAF1197E1449B3AC2F2,SHA256=5CA9AFB55366A79CE30C194297D8FDCD34791AA83A36DE43A0701052EB14371F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:40.872{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDEA727E49BBDA8815C5C36E37A8934,SHA256=8B25CCCA5AA1455CEF163394B55417C372B1F14C6EE070E760CF694D3FEA5A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:40.074{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF0DE55368855E0D0127BB2376414BB,SHA256=2FEA8BDBB7FC4CFF5891370BA2D2A3878B4DDF6AC63EAED4821FBBCB2D0E577D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000100999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:41.955{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816ED1DE6094322D0984C31DE90C37B9,SHA256=34EE1E9BAAA26DB4E3E05BF0E77D74802564F8765392F64BD6E3FCD4BAD7E438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:41.142{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29FEB46022D7DBA87BFFFDBCB74EEAA,SHA256=8AE3297179E4A98EDD770DCC971D95107B13F29D52E11B33E8C416891FFD8099,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000100998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:38.806{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53780-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000195856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:42.212{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B3FDAD6325348D13723548AA2DE9DF,SHA256=84D57B132B504B15DCA493DBD645617F1FCEA5A76CC056C02A0DB55A64E7631A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:43.262{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A87B45624A83314F33309B5BDDD1B7C,SHA256=250D3AA6FB7299801A1E8E20B5A56501916257095C277B218110D9E36BDFD547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.623{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.620{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.617{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.613{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.611{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.607{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.606{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.601{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.600{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.597{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.595{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.591{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.589{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.581{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.570{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.545{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.542{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.533{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.481{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.469{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.452{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.439{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.427{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.416{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.404{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.395{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.384{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.372{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.366{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 23542300x8000000000000000101000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.030{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AF96DEF72FE4CD3B7440A9F49C2A1F,SHA256=190231D12ACD34765F3A233A4F1D6AEAE04D5793FA8E61E95E797DB2E0FAD2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:44.330{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B221516B9C880DEE48ACF2CD3A66D3C,SHA256=4448120941EFE574BDD94E88C572CED10D48A7754E58CA9007B6E4DE768585CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:44.377{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7A695615E7715058EFD75A47D36EFD,SHA256=DFF0D8CB3965BC4C4E545B3AF644921CAA42EE83D328640BA959ED51F385FA2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:42.935{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60615-false10.0.1.12-8000- 23542300x8000000000000000195860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:45.397{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5FC77475BC8FE628C308EAD4F33781,SHA256=198180D28D7FCC81ADB7A1467428422080F1E7603611B2928565FC5E268A5DB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:45.493{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7A5FB066302AF628A83ADE5862C8DE,SHA256=F9F9D456F98C0FB3269E647C7ED1713B0F417335DABDA040328DCEEA8C429C57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.797{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.794{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.792{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.788{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000195882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.441{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDF62A3829BE8231A0A4F7CD58BEEC5,SHA256=B9A78DD8A37B3B447D53248346149A998B130261CCD1DA66FC7E67BD8EAD042E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.422{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.409{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.405{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.399{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 354300x8000000000000000101033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:43.832{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53781-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:46.562{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789CE37B72B2128BB85AA47F66E5DEFB,SHA256=C17C6C1483F10A916A8DD814B74553F8EFA2B44BA80E63D012C890DE0427B4A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.396{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.393{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.391{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.369{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.363{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.352{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.346{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.339{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.330{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000195868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.323{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.322{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.311{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.304{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.295{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.286{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.235{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.231{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000195887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:47.484{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FCA8CCFDC692F359F2E6F3A971DDBC,SHA256=A759B3FD30755D3E5657E854008907D9B31EE7F064FB8A38A8CAB6470ACC2459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:44.910{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl56320-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000101034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:47.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC18BD73DB56DA477A372D97CD3356D5,SHA256=5F64BC8E2E8E5746CB266F0018CD9EEF153908290DF72C857EAB4DC48E7423A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:48.822{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:48.819{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 10341000x8000000000000000195890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:48.814{E8723972-5912-6356-D001-000000008902}56046172C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E00610) 23542300x8000000000000000195889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:48.585{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238B303D0FCC6077E01EB2E04DEC317F,SHA256=B2ABB1E668F3C0CEB47FE6CB1953328A56C22A8BDC3D857FADA011339B81560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:48.738{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F157C92E1BEAA9EB9C092869025D37D3,SHA256=B4412184855EB268B8DAFEC3A95211C2AA6E673BA9CB0123947EF877410F7540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:46.199{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60616-false10.0.1.12-8089- 23542300x8000000000000000101038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:49.822{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F231BEB4F2EA30A1CB8D850212910AA,SHA256=7D27BBAB98F58FB509296F1B74B1555C066DF7371DC9D3FFE49EC82F1A7B2552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.563{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.561{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.559{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.558{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.551{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.548{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.546{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.543{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.540{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.539{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.538{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.536{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.533{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.509{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.508{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.508{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.507{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.506{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.505{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.503{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.499{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.496{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.494{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.492{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.484{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.482{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.450{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.446{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.436{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.435{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.435{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.421{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.414{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.382{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.375{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.365{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.361{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.358{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.355{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.352{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.349{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.348{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.342{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.339{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 10341000x8000000000000000195893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:49.337{E8723972-5912-6356-D001-000000008902}56045580C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012838610) 23542300x8000000000000000101037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:49.278{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4ACCD5B2938DFBE5824E38F002DC35E,SHA256=9D8832E07674C4AB4167EBF83F3B50F409367C3B29066B34E8DD97692E23CD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:50.901{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E33D6F398A06D11F53EBD797F67DE9,SHA256=3E45F1163C9CC37DE65BC3101E030A4A7DEA63021AD7178D61E96AAED7B703D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:50.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2646C5D774F01821443DD2BF556239,SHA256=90FC7F2A2A6E9EA83643702C09B3F68DD12B06734228B71AC3EA5CD8CED0493D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:51.989{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C2EDAB2648A8C1C56A18F5B836DF17,SHA256=D50349C3133B469123492605BF1E466C72231AD3F1F1CBD13E01AE9367746921,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:48.927{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60617-false10.0.1.12-8000- 23542300x8000000000000000195939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:51.237{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3B461853B0462BA7850B17DFF56DF8,SHA256=B1BAD6A941B745252707B8B057F3C3E3231AC0B363DBE52C01C3D5A56CD989BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:52.253{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525FC4AFC5B4A39A64F879B074A14DFA,SHA256=24788BE7AB6B86194651CE553FFCEB77122022E94B13CE649D109D7B2773EEE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:53.369{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9637C499697D5A759F3F29427A6A3560,SHA256=AAA1E9D80A72662F4E2E163DEC05C790DB71D33D59D42DCAEF6FCEE9F09D6247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:49.775{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53782-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:53.089{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE50674E92D39F5EE2CF6FF2357F6BFD,SHA256=0525429F19A024A22DA1B1F5B32E47A416BB4AA4D005C86A8E975F62CF38969D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:54.487{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D13B93473884DB40B30C54D0ED9F00,SHA256=8114901067E568713E14889E7F985C4BFE37FF23D3D73048EA1782F105A61835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:54.167{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4493E8D49DE2E83496A7EA11B9AC40D9,SHA256=492E262F73F826D67686846D6503418C4E99CB4E01422D042E85BEC5AE8344D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:55.623{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694AD53315AC44508BBEDBFE6776C780,SHA256=03266C268275026A58C89E4892317FDC927999DD77CA87C29FD3E9BDDA3C2AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:55.254{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=167BDB25B94B8B0FB9EE6DA5D7CD3DFB,SHA256=D4F2ED761DF5A5AC0A1DE29A72F8AAAC47BE4B84DC007EFC56243ED7D1AE1FBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:56.638{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05407BB62BBD6DC257650E41ABD75DD6,SHA256=E49A4C0159B417A5C5189EF00C9B6EE9994F14208891CD22610103EC24A33E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:56.342{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6EB401F6203C7466512558E622A44B7,SHA256=43C52AD50D9966E59BA68225CACEB859D51107474FDF001F1664800B68B29A15,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000195945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:53.976{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60618-false10.0.1.12-8000- 23542300x8000000000000000195947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:57.739{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF015345E6304998F24E3DE2D57FEC2F,SHA256=8AD0EDED6A8ED481064E3875F86900BE9D9A38BB759767B95E265ADC3708F75A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA4D-6356-720A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AA4D-6356-720A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.819{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA4D-6356-720A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.820{3A30D728-AA4D-6356-720A-000000008A02}2284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:57.427{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D7BF63CCDD2F550B94D51EB12D1409,SHA256=17A3784FAD3F950AFB58692715B8625ACD8584CC6B6F7473BE6BB1E2899E6A81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:58.806{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52744B9209E8409FCA0C664C32177DE9,SHA256=F49BAB24C2D73672323EBB2E4729CAC7007E2F10096D2CB423AB00DEC3C209A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.947{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=541798017E3D3D2C7550EAF44E4B4650,SHA256=C19E9341A1B50FBE58ECF2EB7B229160F98E66A0B73F71C80D725DBE95380A74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.692{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.692{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.692{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.691{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.691{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.691{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x8000000000000000101077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.639{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5169C1661D8C3476DDA98FA3FCB0CD90,SHA256=99CE99BA526EAF7A84526E599D621627133E2044D416AD33828FEBCF42912233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.523{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30D97CFA3E1435B805CAE678DCAE9BA,SHA256=5AE1D86C4D20B79E05C73AD26B08B924A4314F9A53E139649B3D83E2D1AFBDDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.492{3A30D728-AA4E-6356-730A-000000008A02}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:54.926{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53783-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.090{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B75F3E92535626E5F8FC851169079282,SHA256=A367E14D2166DAE85627015945C5CD207C6FAE3EE41D2699B07659C990D052D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:58.022{3A30D728-AA4D-6356-720A-000000008A02}22841244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.667{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F89B6B405D96850B4CA105EC81BCDC,SHA256=2CCDECBB9E37011A794A96E28AFFD2CCC1A4D350D5E1397DB9F4FEBE3A42FE62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:59.935{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E899E53F8DAF4B3F909AB52E48798231,SHA256=673C1FAF43D37EDB6FCBE062274D830F9DF6F335309B88ADD67170E7F56CE238,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:59.823{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000195951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:57.945{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60619-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000195950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:57.945{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60619-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000195949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:59.123{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=476FE44AF79E540D38C95CF5574F2C1C,SHA256=54B53DFD96E0EEAC8452D922EB2537797E1D38D638B80DB3076B15D119DC1C79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA4F-6356-740A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA4F-6356-740A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.056{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA4F-6356-740A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:07:59.057{3A30D728-AA4F-6356-740A-000000008A02}2728C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:00.935{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD63802899CB40FEF3ED0CDB8B3E6A91,SHA256=1F31D571A70D15D36A2309F5D72A7D8EB2AF6FA7E6E9C8BF8F288FAE4B8370A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.879{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C3A11DE97065378CCDD46C8D5BC0572,SHA256=6BF1FA14B43E8CE4017241491802DB8FD66D4F0988108F53E342877C84291215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.375{3A30D728-AA50-6356-750A-000000008A02}26963064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA50-6356-750A-000000008A02}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA50-6356-750A-000000008A02}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.146{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA50-6356-750A-000000008A02}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.147{3A30D728-AA50-6356-750A-000000008A02}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000195954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:00.223{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=49F6E1003EA635956E2205A5808FD91B,SHA256=E6EDFBA8B7487E1D3748294CFA5F15D8C8757805CC2A57E45ABD08A3803B019B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DDC3F9B2F98B4086857275A7EB246B,SHA256=E7583F37166E3060D3B85AC41458282DBC199701B2FAD29287FB86F7D0C9A98A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA51-6356-770A-000000008A02}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA51-6356-770A-000000008A02}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.970{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA51-6356-770A-000000008A02}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.971{3A30D728-AA51-6356-770A-000000008A02}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000195956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:07:59.017{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60620-false10.0.1.12-8000- 10341000x8000000000000000101127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.510{3A30D728-AA51-6356-760A-000000008A02}26481852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA51-6356-760A-000000008A02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA51-6356-760A-000000008A02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.290{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA51-6356-760A-000000008A02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:01.291{3A30D728-AA51-6356-760A-000000008A02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:02.543{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8916D842D912598693698E1206554102,SHA256=DD40BCE2D9361AAA5C9CBD24CE80B3D7678E5B0978589DC6A2B344E5FC595CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:02.190{3A30D728-AA51-6356-770A-000000008A02}10003936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000195957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:02.055{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D28EE15D3CDA2109A1DF74030791020,SHA256=5674A9D08DD8C0EF22C9325B47B39A7100BD038C606D4AFEAE965ECCF00C7F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:03.156{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67FB5204DD059BBEC21C2C7354BAAAC,SHA256=5B7EB5B0316FF1AB22E5DBEEE978B3E7BE732944BA8C7A30972E6CFBE10DE8EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.578{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.575{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.569{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.563{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.562{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.559{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.558{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.555{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.554{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.549{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.546{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.544{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.537{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.527{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.512{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.510{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.499{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.468{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.462{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.453{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 354300x8000000000000000101153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:00.851{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.441{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.433{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.428{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.418{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.411{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.401{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.391{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.388{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x8000000000000000101144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:03.053{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D95B9D2812BD7FE2386F85443C7F0A,SHA256=6DFBD5F2114839D8DCEC668086BF6D87EBADC79B828F3E4C90CE743D47A56D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:04.272{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E191DDECB492CAC1A5051F6FE2D76D7,SHA256=8F771E63C52FFBE2BD388B090F2133275A785162E8211ABED0F7F542F4DED884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:04.308{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A973F1699C2DF5BB2A321222E1C272,SHA256=7DE66516727C2E05DB4B50E0823F38AB4A35D8D97A509BDA5DBED4D992AB352F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.935{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.935{3A30D728-58B9-6356-0B00-000000008A02}6243116C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.901{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.430{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6F2024E32AF999357F00878764B255,SHA256=9BC09BEFCBA4F842C9ED3E094472A9CB1678BC19DAB146F23950279B0501C215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000195960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:05.372{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C52D94E68E2F8BBAFD3C1497416FFA5,SHA256=982224F69E51EF104DB45BA38EAF6BD417F2C8BF9AD4DF770DC761BF04A8F813,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA55-6356-780A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA55-6356-780A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.091{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA55-6356-780A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:05.092{3A30D728-AA55-6356-780A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000195986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.805{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.803{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.802{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.798{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000195982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:04.963{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60621-false10.0.1.12-8000- 23542300x8000000000000000195981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.449{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA543B42A71F8227B007C5796E2CD01,SHA256=B88C653739EBAC9D5E3C3F443763BB5803F40581F2D94CD1A8DD6C39D1BF74E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.397{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.387{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.382{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000101195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:06.493{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC30D076611305EED01A5FC0BC3126BA,SHA256=BF5C96E57B6122FAF30CF1B2B796EEBA9082832AD625740050AB98EEE2154EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:06.155{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16CD8E5D7282D104BD8E461E80B66240,SHA256=6C929FCCCC733710C2AD32C9D943A788BD09ACA8BA82C0BA011E450B158BF83D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.377{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.373{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.371{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.369{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.347{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.341{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.331{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.327{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.321{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.313{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.303{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.293{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.266{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.258{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.223{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:06.221{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000195987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:07.511{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37E94DA05C6336EB5C576D4ACB9DB01,SHA256=46D21A1C96AAD00B1EF38EAE9F82690D244208985148F9D40B2D14E1468D167F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:07.592{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC73C2CD273A5B0283366599754EBCB,SHA256=74E9FEBAD7676C96494456E231F4343016D7EE528DFD85668D493C93FB8FA406,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000195991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:08.837{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:08.834{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:08.827{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000195988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:08.642{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AC469B5B0582F8057F8002E94A6B43,SHA256=1E916B665EC56E27D07062C9BB1635E21DBFBD1F3EEDF5E64663B52CAEEADDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:08.683{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590532195ED8A42EBD436CAE8B49ADDD,SHA256=A122E6E4C1CAC1DD4ED66010B19DFC857BD4F34A128993739174C36C9189EEE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:09.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AFA0F1DB7022413CD73F0CC01DD6780,SHA256=2D79D046C6305220FA994EDAACE54A2ED470A22EBD41A8F101967F283DA98E15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.590{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.587{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.584{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.583{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.575{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.570{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.567{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.564{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.561{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.560{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.559{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.557{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.553{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.532{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.531{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.531{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.530{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.529{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.528{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.526{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.522{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.519{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.516{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.513{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.506{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.504{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.473{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.468{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.457{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.456{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.456{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.440{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.431{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.385{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.378{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.368{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000196000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.363{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.358{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.355{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.352{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.351{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.348{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.346{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000195992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:09.344{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000101200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:10.862{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218CF4AA22BC752F0C0C712FCB6BE13D,SHA256=888F76FE31A9A68BD107FA8385ABD634DD591F63B8D44883CA6F8E8EB758CC61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:10.210{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3D88827BC04042CD4C8F7E1D22845D,SHA256=D66137D5072D83B7345530615F0B2D1EF2E50A7E3B04C7A530548DABE495540E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:06.835{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53785-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:11.932{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02165EAA151D08262F965A11685F390,SHA256=97C50CC52287FFE550F39A1F8072E8EF415B65B9D605C2B68EF2EE235BEB82E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:11.293{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F321F0628674C2646DD1DE100AA3B20A,SHA256=3DA2E88C1107A3B62D2F1B130E6E5D79215AF498B77843D54776789D53C82B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:12.396{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01D4D724BBF83DA1074A69AC06004E1,SHA256=CCEFED36907CB33615E910732D4753A70D43998FADABF33CED6E01F3978A22AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:10.970{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60622-false10.0.1.12-8000- 23542300x8000000000000000196041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:13.497{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4DF9EBF66A01626C62FEDD7EB4CC36,SHA256=439AC0F05F0C73CB0256BDC7840759408B1E08A5A4D0243E0C1CBCAA16F20F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:13.022{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AA5D08B77BF1C6C75BA7F302218607,SHA256=39F9AC46F66172C31F13F67283015A8771584EDC13D573BB3C063291037B03DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:14.613{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92113B238092E509712813869B3291F1,SHA256=741E35B324547F6F194EFA4E39368F9C4C64D5834A8700B5B4C228CB6AC3187D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:11.888{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:14.114{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A681800F077648436BDF356FF8084BC,SHA256=F74170A2A135820C8242475DE67BC693418FB62014D58ED9620337157EC86FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:15.647{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7CD1EB4564FAE5034E1B67632CC0D6,SHA256=647E9EB9BBB04E8740EDC2FDA59670491E740871C7AA6377BEA8E040715A6FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:15.202{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6EC2F11DF07BC2262FE265DE6B6A66,SHA256=19579332D843C38B1290B4387C4D47EC5B5E6B5778E26B1EBBB33808E4BB8C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:16.679{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73935A9999DB5C7B07CB9BE00C8B2101,SHA256=3D126839BC6438D0CBAC464A6C9726B9E33BA812122866A4FDB7A772240FA584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:16.277{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04ABD4888C8B86F108230BD6504EEFED,SHA256=26A25967B18DCEBC9E5EE52AEF0AC264F9AEF1B89852E926E0705D36FD949878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:17.697{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D8B1E9CAE4F8916177D103FE00CE8A,SHA256=447D63B96DD3B3D64B3C50F5EE095ECC2CAF3AB99AA2870E0EF5FCA342F3049E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:17.361{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3491C7FAB2B49830C49A22FC9ABAC7,SHA256=11D221FB84517C6E30B7BF68DD35401C66707B6C10D4ACF030B17BFAD98CAF57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:18.787{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAB2880392AAF908150F4CA564E7CF8,SHA256=0A3DCF5D0B0DD964870FE09FCBA7D849C932B8CA397A6A5171EDC1CDFF27C803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:18.460{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB01D6D4ED3A3C91EFEA8F8AD66806A0,SHA256=99816A9220337EA728BE910709E3FD4D7BA5A4458EEE3E9CEF9DC95D4E03BCAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:18.082{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:19.897{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBCAF4AFF60CB9CAA7723A2F187ADAA,SHA256=9A5FAAF8DA8A215D842CFC03E320F3D4F68A8AD61236DCDA0E2649F1B2D2E27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:19.533{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23DB1F412B912596F0BC41C829531537,SHA256=98941448DAD7164AE46402B70755253424420CD5773CF9494DF3D57E6BD7EC98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:16.988{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60623-false10.0.1.12-8000- 354300x8000000000000000101212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:16.758{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53787-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000101211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:20.616{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91430113C43E1999BFCA936F7211C9C,SHA256=5026E83B34E4941CEFEE91CEC4E6C96753F2940E4C2F4FE23CBFBF130F01C469,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:17.722{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:21.699{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8E9BD7AEF597DBCF5B1E1964588FB7,SHA256=3E29ED1A16AA7071A4F2359A37E1CEF51ACD733D9A660F841BE90B7B2D221CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:21.032{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37E8409F8A757667BC58304DDA33A14E,SHA256=629BAF7D49F73E92AB883809B778995AA234A682F9153E03BB9CD194957283CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:22.785{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE36C0B604949C15961C65C64EDBA7B7,SHA256=4F2AF1649AAD6A2BCF80FF52A442E06C72907321BB90925194E552ACF06BF127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:22.048{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94514CE581ED2063B22DD4AFAD2C4D8B,SHA256=5857A8F7F61A718A926D3799BF723667249EF3340DDE56A786FB143BDDBD93B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.967{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CF47B71BB0AAFE3781CA3E4097E220,SHA256=93532637E764717AA429A6E77CF4F4C82DEADCDB3E167B6311D59E0C28651329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:23.079{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54631B026A8A8609A0A7FD68BF3F2F71,SHA256=79D2FE4F9486DEAD729CF97225DF7EFBB5DA2570BF92E12C158B38B2797216B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.626{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.622{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.619{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.616{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.609{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.601{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.599{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.595{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.593{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.588{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.584{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.566{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.553{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.517{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.513{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.492{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.455{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.439{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.427{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.417{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.411{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.405{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.394{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.387{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.379{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.369{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000101216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.366{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 354300x8000000000000000196053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:22.989{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60624-false10.0.1.12-8000- 23542300x8000000000000000196052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:24.215{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E628251C7F007849234D64410440D788,SHA256=C6AD030FD064258960908ADCC29A9B95E4BBB8511D9F1587DE8BA53B27B76ACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA69-6356-3C10-000000008902}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AA69-6356-3C10-000000008902}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.735{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA69-6356-3C10-000000008902}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.736{E8723972-AA69-6356-3C10-000000008902}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:25.300{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EBE60AB09131D4E72E230C84D5F05A,SHA256=2484779C6542FFEB4A05CC42CC095A2E09A86557B3C68355DD8B48306F8505EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:25.031{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842DF18DFF6032ADEBC797A4B50B6402,SHA256=40643619E5AF6B5906631B7373DC14938E2F2A7463ED9CE28007E3763F1E432E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA6A-6356-3E10-000000008902}8380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AA6A-6356-3E10-000000008902}8380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.967{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA6A-6356-3E10-000000008902}8380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.969{E8723972-AA6A-6356-3E10-000000008902}8380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.820{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06F91B977C38EBEABBAC651C43629FA8,SHA256=676DC4C8339580C97D92F2DF95C7584F372FDFD4FD3D75376B97EE1AFF1C6401,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.744{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.740{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.738{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.735{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.391{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000196091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.390{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58362E7592043C06D833911774A6A3B2,SHA256=38EDEB4C4B05F256A39492AF0E8556A465D5D51B407FDAB9D19B3DB97E366C55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.379{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.374{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.369{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.366{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.364{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.362{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.340{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.334{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.324{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.320{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.314{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA6A-6356-3D10-000000008902}10000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.312{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.310{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.310{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.310{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.310{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.310{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AA6A-6356-3D10-000000008902}10000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.309{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA6A-6356-3D10-000000008902}10000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.308{E8723972-AA6A-6356-3D10-000000008902}10000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:23.740{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53789-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:26.111{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDBEB18D05FEE7AEB72E53C94876278,SHA256=87AD1D217AE1BAE521CFEA6E8E622EBB7DC467CAB859AD31EFB2837A8AAF09E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.305{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.297{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.283{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.277{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.269{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.262{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.226{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.224{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000196063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:26.169{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=166A5D46C2CC23E864C1D75B3A16D841,SHA256=2C959C69C1194604B486F4446332934CD9148A294B1D0E4D5A4E7C47591A0FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:27.583{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB753023F36BD70BFDE970FD2AE58F,SHA256=AB7677AEE5763C0A8A9BFB1DADD8A751A4910CF72A4BC53449ED4EF3948A6D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:27.196{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E81A767D39809B9A500155D7554EFC,SHA256=4E363F4CBC6624B053B333BA543E63D07ACC5A5CBA8D5624645639ACA2E8F789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:27.141{E8723972-AA6A-6356-3E10-000000008902}83803988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.779{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.778{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.772{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.712{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.636{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BE8FE468324CB94787D6436266079E5,SHA256=1BE29213FCB9A96B35CFD4B80D8B37AD249E60FCDBC4FB0F61C7CCF2D70F72B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:28.266{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC45CC39C5E09FDB68D1A3C537E3C00,SHA256=194364926B3455A9E0ADF7A6AB43C680CCC0E8F1D1FB16D8419E6B72E0D00B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.279{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C744980E437A4C8D6DDB66EB7760D09A,SHA256=651DD268C1551F591456DF2AABF099445D1E869DA80F47EDD0800BCFF6F9D97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.753{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8082529A5A802E97264CE1EB915B2E0,SHA256=E4A5773A2B8877601AF95F3403FFA2C6B42EC51BE0C303F925232A8451C45AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.753{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C1697216692AF3AB56E9A294110318,SHA256=7451977DCDDEEB6745756B8850383B06198AE2908E0633FDC63AB54784CDCDC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:28.143{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60625-false10.0.1.12-8000- 23542300x8000000000000000101251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:29.353{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8194810518A32196908B24A7A2BE8BC2,SHA256=7232523F8368D87219C442FC375120190D94D934762945BBABAD3C63B533B27C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.536{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.533{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.531{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.529{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.520{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.516{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.513{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.509{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.506{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.505{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.504{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.502{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.498{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.475{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.474{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.469{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.468{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.467{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.465{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.463{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.459{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.456{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.453{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.450{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.442{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.439{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.411{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.407{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.396{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.395{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.395{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000196128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.389{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=806D12F76D1BAC5BA04AFAF2F99A44AF,SHA256=8D7A2216124C34445396125F06170F7A8310BB9A7767A633BC5193B3D7E8DC86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.377{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.369{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.335{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.328{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.314{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.308{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.302{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.299{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.296{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.293{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.292{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.288{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.287{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000196114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:29.285{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000196172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.768{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55C3F84605AB48074D59312100F6133,SHA256=F58AAFE6D8A1F09125574BA804BFE1A7FB48562940FDF8B35FB8600776D49C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:30.438{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB8FF99F0B875544D5770AAA140EF39,SHA256=06109772C08D6D52CDAE109B2D91C09F01DE3BC625962BC3E4F0212F95A17FC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.537{E8723972-AA6E-6356-3F10-000000008902}76681812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA6E-6356-3F10-000000008902}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AA6E-6356-3F10-000000008902}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.368{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA6E-6356-3F10-000000008902}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:30.369{E8723972-AA6E-6356-3F10-000000008902}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000196197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.921{E8723972-AA6F-6356-4110-000000008902}78766964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.884{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=479D278481D10C33F8939BD1BBF5053E,SHA256=61E40FA4364503E2EEB160D6C9297B218FDD71CF28756BB0B22F3CF4BAA11650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:31.527{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E01E30F36B82DA0ACC5253F4329FF4,SHA256=BA3CDA56C4F521804A18F66EE3CC4BCC9AD427716DE49F8D3FC8C1441874C74F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.703{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA6F-6356-4110-000000008902}7876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.703{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.703{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.703{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.703{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.703{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AA6F-6356-4110-000000008902}7876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.702{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA6F-6356-4110-000000008902}7876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.701{E8723972-AA6F-6356-4110-000000008902}7876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000196187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.237{E8723972-AA6F-6356-4010-000000008902}83881892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.230{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.230{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.230{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.229{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.229{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.229{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:31.037{E8723972-AA6F-6356-4010-000000008902}8388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.984{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDF407C5187A23B8639E8C478046334,SHA256=95AD1D7F2475503B6AED9D151880AE15D6B189B526F1B8523C913B6A095EFEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:32.794{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D4442FE4B66F9E08C38B401DEC8AECE5,SHA256=20919DFEE476A1C3356DBF7EC395CB39FCCA455C0ED370622B944E70F5C4040D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:32.607{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FAFAC7AC595649BDBBAF1BBEF16BB1,SHA256=EBE763B211DA9D3D5023D3B23B4AF62835307F271FB8C3D2F4FF6C5F3BA48CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.802{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06A9E40968E18E0DE2F3103D0B0C4935,SHA256=B5D3C1D3B9ABFC1F4015DF175CE9B3C80561774BE25E2684B4B6587DC3FFEC88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AA70-6356-4210-000000008902}8780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AA70-6356-4210-000000008902}8780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.637{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AA70-6356-4210-000000008902}8780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:32.638{E8723972-AA70-6356-4210-000000008902}8780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:33.679{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0382D2472A29B7E0A1A257683CFE5C,SHA256=432A48BDBF899DE040F34149D46AE68FA102EA48AD300CF7C3505D505AD35854,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:29.734{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53790-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:34.765{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE39ECB367869A1419BAC97627E6608E,SHA256=921D180D2A3B8A3D2D5B4638993EF455F7294BF74FBD7AFFF9A1F464CB70340D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:34.572{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-349MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:34.070{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED59E048D4381CDCA9B6C722A2F244AE,SHA256=275052E2BA5F0F2698BB48A288E39048329F088A22870E382E82F2E2C7679A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:35.835{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387FCB70A315C5DF7515202E7980FAC2,SHA256=90EE847B8C60B700CF8DD96F0DEE935A0A3ED683D8DB029D0EEA2D6518F963EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:33.928{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60626-false10.0.1.12-8000- 23542300x8000000000000000196211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:35.585{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-350MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:35.202{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A9E441954F907A4A5854D587F2C22B,SHA256=3F3CA2692012A7E56B2254F67A7FA986B8D9D93900B4FBA53027DC34F8DC775F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:36.908{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152804ACD11A961E7D48D6D4DDB99A55,SHA256=A1BE61E8C99AB0A661F5DB154B2EEA2BB1773A4A4AE881BEE915F7DBD99CF119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:36.296{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401C8968C59438932BC1D41B39575DBF,SHA256=C2B03E61E7B520E1559DB69AA0BD27474E61A1007E92B8BBBE4DBDF61E4FBD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:36.144{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-339MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:37.989{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB6F7073A092326CC9D8EEAB7EF002F,SHA256=6FF8E06A6E1FB1D9A0C90FCABF4AD1CEF476A637D88BA615297D3472F6EC99E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:37.439{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B63FE69D4FEB90DED323361E27A1DCF5,SHA256=EA0F53886E6E36AE099AD4F978FEED7965EB991E8294F0ADA837833F8111CA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:37.144{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-340MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:38.524{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D22AD0495884851FB0A7EE7A3235EE2E,SHA256=1221C7B6DCF00ADA5139658804BD911A5DFFFAD7838DE6FED672DFE49A7D6956,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:34.841{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53791-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000196249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.825{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.825{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.825{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.825{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.825{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.823{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.656{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627CEA7F3F47E66E68712B97DAE5EACE,SHA256=42F4CE0EEA1BEB0188BCAFA6A4088900E3657AB76697CA3DF68C773FE3BF94EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:39.068{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=819A4AFB9A8B07E5F9C2784A6F56381B,SHA256=ECEB3273BA5E9520545AF4F42C04CC22BC28FC759CB20E36B54CABB85A56A2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:40.159{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20718106BB5C884E0FF5FCECB189B96C,SHA256=92E181E2859C59653ABCF64015378409D66E410DD508DC45A8A52FAAA4A46465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:39.932{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60627-false10.0.1.12-8000- 23542300x8000000000000000196250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:41.242{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D7D8C4615F6DA28E87017D8EAE4BCF,SHA256=9A518C956479968380F4F9E9B402139ED43EB8021DAB462D34B6285460E516EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:41.235{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685F58A50DD4F660D945675E2409323A,SHA256=E5E9CEE6CCEF8ACBD95763EDAA3D2D306AFDF73126B1C5A4E146D09393A5CD37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:42.341{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1775E26F4CC333374F3ED25D21DE1A05,SHA256=3180C2C57B4E15D5C3BC34955F6FCAF079ED422E1EA74AA749C7D95B4715C601,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:42.322{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E726B6DE53E766280B93BA15DCC7FAA,SHA256=EEA6145D06D74DBC8618A8CDA97B061F88FAA0C32C3A0F6B569E7D2B1DD8A666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:43.457{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E1174C752FEDE32A9930387E8323F9,SHA256=6076CD554C793EA00ADEF4449E9CC691840B78C5B11D87716E1C260E2EB0C022,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.589{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.584{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.580{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.577{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.577{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.574{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.573{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.571{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.569{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.567{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.565{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.560{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.551{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.544{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.525{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.518{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.509{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.469{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.461{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.452{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.439{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.423{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.417{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.408{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000101274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.403{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7F879C54DB38A2913CE72DC0E04848,SHA256=8F8A806EB7EA407BB4F876B1920AEE7F4F17EAFB6709EC66DE806B3B5E3C6BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.400{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.390{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.379{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:43.375{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 354300x8000000000000000101269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:40.659{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl56973-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000196254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:44.541{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778A82EA0BDF98748AD4399ABB46C743,SHA256=AA60B6996FDF09B4678AE1DFB83DB568AF16F1B94918055A4FDD05582861308D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:44.490{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7929B9CA7FEE17343A8BBB5E0A2608F,SHA256=E07F41E812D7F89FFB49A472034DA7B49DC160D07CA8A62AF794444788167A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:44.270{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65DA8BFE0AA04189F3C1B1954246EC04,SHA256=A662C22CC558DCBCC612895F47D83EDBEB7A0F0FF585327532FD718082847ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:40.770{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000196255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:45.657{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C79E03F5AF3DDE7A008BCBCF35ED90,SHA256=9D876D62D9B03F0695A03C1B73A78865A830A2EC8744F60E6BEDF6F1F7813905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:45.574{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013946E3E3A9E6C488E3E0876606A8C6,SHA256=2245FE75E22C0787F1430E74E89A087C9088DE25CB330B4FC61D91A03FF1E0E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.760{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.758{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.756{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.752{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000196277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.713{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FFE11E6CAD8F11BE759494F11A16C1,SHA256=72999293D4E77651D348253AE57128D313313D091CA1F34410F7EA8A64BE79CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:46.658{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB6BA7C07E572EA0375BDD445E8C78F,SHA256=FA904FB2C3F6963DBA2CE261CFD225ABFA9E71A4A72025F4A6C679121E1F64B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.399{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.386{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.373{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.367{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.365{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.362{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.358{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000196269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.340{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.329{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.322{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.311{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.307{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.301{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.293{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.285{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.275{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.269{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.261{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.254{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.219{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.217{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000196283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:47.808{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0FD398676C97F88794CEEE9A59B58E,SHA256=A13DA4CB4FFCA5731B9C67201901C5BA9C2B99BF7B90863F84645EC0D9D80CCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:45.932{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60628-false10.0.1.12-8000- 23542300x8000000000000000101305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:47.738{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B04D5AB057909694576897BC2CE3F8A,SHA256=585225D8DFB573D6C24F719E1294A6CCC006442E40302E8C8A9D4DFA11EBFA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:48.926{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C5D7191BC5DD4C072A30B55FBF749C,SHA256=CC9D5B0FDD12B3C83C78685E0C36D8390BBC6ACF49CA1AD59B312F890BBB7946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:48.890{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F27CA9ABC0D4A0F5B8B5E86D77A69CF,SHA256=F766DC6918E0D24A11D1069AF9C0F425E3B2C7968D4753C2E3F5CDF07A60395B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:48.796{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:48.795{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 354300x8000000000000000196285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:46.214{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60629-false10.0.1.12-8089- 10341000x8000000000000000196284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:48.789{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000101306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:48.204{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FD6DD44A2C2AEF9EEA522A008864AC02,SHA256=3AD3B4568F2D7763D31E75AEAC4EC9D92794355B7D12E55F2D2F32FE1F24FA6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:45.882{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000196333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.543{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.541{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.538{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.537{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.530{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.527{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.525{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.521{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.517{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.517{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.516{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.513{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.504{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.487{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.486{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.486{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.484{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.484{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.482{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.480{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.477{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.474{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.470{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.467{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.460{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.458{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.432{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.428{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.418{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.417{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.417{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.404{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.396{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.366{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.357{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.348{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.343{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.341{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.338{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.335{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.333{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.332{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.328{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.327{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 10341000x8000000000000000196289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:49.325{E8723972-5912-6356-D001-000000008902}56046176C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880610) 23542300x8000000000000000101309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:50.013{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493DBB954E4A7DF07BAFE5CDAD7F9E8E,SHA256=A94FA237AFB8C1A412D7613ED80F5401AC38B11A9E297E6103A6DA22960C4128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:50.389{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A81106C87D922BC3B5E76DAC229BABF,SHA256=2FCD9C1782FFA1AC208A682EFEA5595B7487ACDEA8D67CED10AD3ADD2DAC28D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:51.408{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0F265C4E269DF0BC35FAE5B8D4F6F5,SHA256=CEF4A7445099FA8EBA8107F5C11DB4734636ABC96FA06011158FAC997DD20FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:51.095{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890CEB7BB8047BD5D8489549D81FF2F0,SHA256=4E6C7141CA3164D39640A06C0D2ABD3C05F2F088DD14289EE729A1ABB71C408E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:50.997{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60630-false10.0.1.12-8000- 23542300x8000000000000000196336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:52.543{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFF7ACF79E1AF8BFBE928EFC6FD8E33,SHA256=583B981E5867A2ED935CC34C559937242D59D4279D9114E6F22D979C17E39878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:52.170{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896B3CB102DDB04FFC2434640CB1A45C,SHA256=7666B59BEA104892E9C41575FE9EAC461D47463582A20D72006A763F5FD025FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:53.574{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=721211B4D0F1B8BA104DDDD0E6BDD19D,SHA256=A2A03047A4EB73FBB1A75E3ACEFBF5E6BE52870D28A6C9F02D11FAA688F663CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:50.894{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:53.248{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA2248A078AB486510F04ABB1EBDE5C,SHA256=41FC794508C6D7B94BE2F19D3E24E7DC8B59D38A74C11E201A1FBC56FC09B603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:54.675{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29216C25A5BA9903BCC28AADE8BCB67,SHA256=CEF2C8FE321D3075D7B562DE78C7429E4F0A6117E4BC81F4B7DC6CFB6D4A5594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:54.336{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE22F8A2AAB8B6D411729FC3A23306E,SHA256=BC25ECA05A0B0109D2826C8E5281137218FC0B3C0AE1827BE6F0C282CFC86D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:55.790{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DE8C378572AA1E8FACD87EFE878B6C9,SHA256=302EDDFE18FB1A424317B007ED72F597C5CD1E26C994EAE589D386FAEFB3C3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:55.416{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6E616EB0077C955759D295A33F22F7,SHA256=CEBCF7BDADC00B28E6A377CC6E55AFE3C3DE97F89A4C14BC17ABF301DB21AE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:56.891{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B15CB5D2D0D0031DF188EA315A9D41,SHA256=3BC267BE4F5014B5D425861877D5FE40E9D7D12E3921F13EFD1BDE91EB443D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:56.496{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB079F5902B9803FF9038A47B8EAE8CD,SHA256=55DDFBED4879396697BB6861D2B7C74195D09679198C86CFA4E1DAF79846CF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:57.990{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42CA855DF8797E8DC41798AC79D1A9E2,SHA256=B605A34952985F8822DF547F5E44B555E52C861F83E6AC71114A97FFFC4BBF76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA89-6356-790A-000000008A02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA89-6356-790A-000000008A02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.820{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA89-6356-790A-000000008A02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.821{3A30D728-AA89-6356-790A-000000008A02}3980C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:57.695{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8076B0B9B758690A95AC41230B5E6,SHA256=FE1F6113BF886291DDA92E131FEFC3264FD189870EC785DC8FF38F985081EA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.938{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06401D8C9C1A0B3F2104A739085A4A43,SHA256=F0FF010B1299D13674230EEAC49635620FC0EEBB8F92C1BDC53A7389A6DEA41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.860{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74CB85C6FD89AB6999F5167FE9A2A6E3,SHA256=100CB164CD51605C4B8D352F440EA9EEEE4045A53F877092A8E83C8362099621,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:56.049{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60631-false10.0.1.12-8000- 23542300x8000000000000000101345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.641{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C402B0590F41CA386C43DA553391E868,SHA256=FFDCE744452B8A860833FA5F1DF1C34F12DC97B82FE07A2E9611B96EB2A0AEE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA8A-6356-7A0A-000000008A02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA8A-6356-7A0A-000000008A02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA8A-6356-7A0A-000000008A02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.501{3A30D728-AA8A-6356-7A0A-000000008A02}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:58.289{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5D44875D7C6B4CC0204E9D7344A10ADB,SHA256=2631FBCD97BA563A016AE569B637C88F16269FE52CD1667C769D29615F7BE030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.975{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1E4F9F98E5042FCFE58D2E7890C405,SHA256=ACF9D8BDDF907FEC7BBBEBBFDF0F51B93AB1DCB8DDA1F29B2ACB941590D5C49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:59.690{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4E3F8BE9CC7D46BF14AF1B5EFB5EFC3C,SHA256=C3452A0DCD71E60359F52F1908872DC1E6287165760EFE654ADF2B1717800212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:59.127{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC07FD0BEECD4A593C59E27CAEE11B76,SHA256=CBF179835DE1E2F15E8E5F2831FEF58D34DF076AED20D30E0E5D8A280FAD948A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:59.107{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713CA6EF210554F0BE99E386F6BC6B1,SHA256=7C60EFAEE9881D4C159343CC60C4DE72EDAC4B1940ED8309A79C913650EE30FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:56.866{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53795-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.222{3A30D728-AA8B-6356-7B0A-000000008A02}1364596C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA8B-6356-7B0A-000000008A02}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AA8B-6356-7B0A-000000008A02}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.001{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA8B-6356-7B0A-000000008A02}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:08:59.002{3A30D728-AA8B-6356-7B0A-000000008A02}1364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:00.207{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5667FE3ADDB5CED242B3FA0F6C8712C,SHA256=B91F34E0DC39A52698A94D8F8067FB81248C54A95E5DE7A3B34F459CA22571EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:57.950{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60632-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000196347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:08:57.950{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60632-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 10341000x8000000000000000101383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.279{3A30D728-AA8C-6356-7C0A-000000008A02}3563352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.252{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.252{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.252{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.252{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.252{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.252{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.084{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:00.086{3A30D728-AA8C-6356-7C0A-000000008A02}356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.262{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997342B7B7C568CCBF719D7B712E241C,SHA256=B07100074AC1FAD59BC1E044CA6F6943C65EAFCE64B4AE13F7243FD1F0B5A3FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA8D-6356-7E0A-000000008A02}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AA8D-6356-7E0A-000000008A02}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.910{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA8D-6356-7E0A-000000008A02}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.911{3A30D728-AA8D-6356-7E0A-000000008A02}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.441{3A30D728-AA8D-6356-7D0A-000000008A02}20162944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.229{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA8D-6356-7D0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.227{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.227{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.227{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.227{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.225{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.225{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AA8D-6356-7D0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.225{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA8D-6356-7D0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.224{3A30D728-AA8D-6356-7D0A-000000008A02}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:01.059{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE04F9362F583F507EEBFFB6F56AA78,SHA256=0D82F7FB9764BC663795FC07238A46152F7A58CDEF6337AA46351DDB5217AC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.113{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++www.vistax64.com\cache\caches.sqlite-walMD5=CD3159AF4CCAA8DE532F426AADD6DDDE,SHA256=1D449B7A7C825E0300790C763A6AD071410A2B19E6728BEBDC68CE76B640C405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.113{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++www.vistax64.com\cache\caches.sqlite-shmMD5=A65B59F4F05B825FF455AD52E4754395,SHA256=42A9FD9B625896B50D5DE11340D2925D5CC92D15A6E743F80564A134ECC316B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.092{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\12909MD5=768D25F0DEE4B74A35BC2354860A6F23,SHA256=EE0694671496D507365307FC83B5EC48272E361E2AACCD8FF32D6CE004860B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.092{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\9683MD5=5F0D51A55F09C9C86BFBF407BD193588,SHA256=F197B272C48EF105C37610AA9A025C6D3ADCC2F0FD61A12F56407C24E74054C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.092{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\26051MD5=10E000F20B3E1DD65116FB74B7C291DF,SHA256=C1EE3FC771C33258F353B61AFB9296549B82CB0E12C60646A55A34A4B3E14DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.092{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\29357MD5=D139F19FF4FD43430F46EACA59D4EEE4,SHA256=E4F98E33D82553ACF6D053488C6B1DDC128DFA0F119DB17BC6FFD52401278B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.092{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\23202MD5=1BDE84993A2005C19676B9890B96889F,SHA256=4C193C82FF3FE5CCDEC8DF122EE505569D395AE38B1BD53F06FABD9281EF383D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.077{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\12187MD5=59849176BB0D87D659822A9EDC0376F8,SHA256=10506F1D9825003BFF76DF7C0FD125B53AA2DF06A1204B85E3B6D10C6ED791E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.077{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\12407MD5=17C7EBE458B723E34BF45F6A50C18251,SHA256=4DB265337292C40E4900829157C4331B8EA7EA500EC51F7048477D58B2276CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.077{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\7026MD5=5FA6ED7F21C020A1318CF51B7B40576C,SHA256=26F64EE793B821ADCEB12F19EBAADAFF0F802C974C453D377C1D8377DA8037D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.061{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\23312MD5=072547FA810317C96628BC0FC0E27813,SHA256=C57166515F50E7ED560D60099D98AF9F12FFD4CE4C7E34B24C97C076183908B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.061{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\27189MD5=F2DCA1AAA8170A12EBBC64D9721430F0,SHA256=9130FA9F04D83AB780A72AA2ADE4C54F6DC6F41AC2C1BB7914D675C51C7BF692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.045{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\16474MD5=F92BCA776555C446F883737C7772AB64,SHA256=8B79169935B5412A8ED5BE1C37D18D9ACA559300159CA1927D1D44DBDE08AC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.030{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\1534MD5=E12A83819A44F1C08DAC1F35C9F427D7,SHA256=D1F67F4F47684A03ED22468B735B50A5C979DF40040634DAB48FD2B636B440DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:01.013{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qlpm6uue.default-release\cache2\doomed\30149MD5=394E75C0CDAF69F1784D7F0C57C6610D,SHA256=8CEA1133EC4DD1FD4C84FE97BD9AE1FB0C83637C59416C22F11730A17C50F3B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:02.935{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C031ED7562FA7019C1D9400AEEA76F54,SHA256=959D1C4E3705B9EABFD3EFB2218FCA9707E1FAD0484F6417EE2BA5E5D3DD743C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:02.295{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44681CF9C7AC45CCB6B4F9EDAFC4A214,SHA256=146F9BA63BD2B1BAF693BB07671770A230DC581F771BF49433D5AF1B90727405,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:02.099{3A30D728-AA8D-6356-7E0A-000000008A02}15322140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:02.313{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516C253A41348AC6A3BF1F3DD7D91B70,SHA256=69515700008E10B8D75FF40D4D81826EC87986A69DB80188FB00B0D796194C29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:03.383{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED0E9902BC3B5773FCE67CC834C4EE33,SHA256=AF0FB69520A05B84C8DD625597A277FB2684BEB85775FBF809684480A4ED330F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.580{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.578{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.576{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.573{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.572{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.569{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.568{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.565{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.562{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.560{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.558{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.547{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.541{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.533{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.523{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.507{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.503{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.491{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.457{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.449{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.441{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.428{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.422{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.413{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.406{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.400{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.387{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.373{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.371{3A30D728-58BB-6356-1E00-000000008A02}14362496C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012480190) 23542300x8000000000000000101415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:03.154{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81ACDCA10C3E08B4E5AFDD8A0C3370A,SHA256=537D69F10745B38C2639573C0359305119B7EE3545A88756062105B754E5D9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:04.599{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD8685DE7B0A4010930CA536B1BEC1B,SHA256=CC0027247EE33978986471148274F1ECD1ECEE4F7D7C48258485F9F4A6CC359E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:04.402{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ADC347DD210A44109325F2796B53050,SHA256=72FE55F9A92705AA9E81113BDC693B55E2F59DE94F916ADA632A50C1EC9483F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:02.022{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60633-false10.0.1.12-8000- 10341000x8000000000000000101460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.913{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.747{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8609FABF5599E115600531A0C1686F,SHA256=8E74AD824D37682D2D3C095C2593CCE781617BE1F1E74956926C38FAE089E2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:05.456{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD1C2D6BE98AA3B4041124198F5A41B,SHA256=A3BB66B766D937019FFE9EB8269C80321D1702FA4CD8710913F3AB3F010CA576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AA91-6356-7F0A-000000008A02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AA91-6356-7F0A-000000008A02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.091{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AA91-6356-7F0A-000000008A02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:05.092{3A30D728-AA91-6356-7F0A-000000008A02}2580C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:06.841{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB1D5DFFD9492C8BD4ADE3B2038BB24,SHA256=355026D571A7742F277A07B59DEAC3287AFBD2E99C569ED842846A5ACE1BA036,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.751{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.747{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.747{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.744{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000196391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.597{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A613BFBB73CA7EEB2C3339AF09382C40,SHA256=BAD6FB211BF05242F41685AE50E9FF1D50179F495B765518164C09A40A70BB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:06.142{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D0F9D8D261146CA24B5C78983A9BF74,SHA256=EAD52BD17E8C7CA21693EDFA773D4A4D58F6A4BBF9A4E78487AFA6157112500D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:02.829{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000196390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.395{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.383{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.378{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.372{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.369{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.368{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.366{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.344{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.337{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.324{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.320{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.313{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.306{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.298{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.289{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.277{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.268{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.260{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.220{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:06.217{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000101464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:07.933{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556C448B00604897D3952BE15B6507BA,SHA256=6FA94876E4FFBDCCCD6A0BB6AA199EAFC690C48A545F0EE09BF235807E7C8A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:07.643{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11374754D93F861677048144A3AB2519,SHA256=CCC87AD5A04B0A0D8922033F7ED5B4E18B29AB66CF6F16A4159A4BFC7660EDFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:08.814{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:08.812{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:08.806{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000196397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:08.758{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A4C2C677789AA866581264399A82FD9,SHA256=C4C220575941BF372B7B724432930E620FF7A994B0C973414E817172EB0EE2BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:09.003{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9B3CC979CC9ED838BE8733DBD53283,SHA256=F898F926FDDA1955D876AE4ACF0BFFD8ED590E34BE82E4B862DD25977F1F9CEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.539{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.537{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.534{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.533{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.526{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.524{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.519{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.515{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.513{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.512{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.509{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.507{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.504{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.487{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.487{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.486{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.485{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.484{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.483{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.481{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.477{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.474{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.470{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.468{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.461{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.459{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.437{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.434{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.424{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.423{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.423{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.409{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.401{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.362{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.356{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.345{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.340{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.338{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.336{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.333{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.330{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.329{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.326{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.325{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:09.322{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000196401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:07.113{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60634-false10.0.1.12-8000- 23542300x8000000000000000101466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:10.076{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F473F87FA795A6E89FA33C5CC8B3DE3C,SHA256=20A1DEDC639111377023826EBCD713116D05498C688222A47B6A428CACBA7709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:10.091{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0256F29D99C6AE308225CF7BD3C03F,SHA256=81D6379593768E744C5EC86D45ACA4CA0FD71F7C2D72F860EBC0B94BEA0F7912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:11.160{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D119E55834CCC822D8FA9092CACF20CE,SHA256=E29EA8509E131F57E2A5EC4A691993936FFC416A37D3A1381D8841FEB6E417D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:11.108{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871C4C0D743FA4615D0B4E6297764215,SHA256=0E81948B050FE63BC0B75E1456D56DEFD567BF93256DE3B2E1428FF1BBD8AE0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:08.864{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:12.239{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8990ADCFEF21CE7E8588FA1CE300D2,SHA256=CABFBD5A2018DC6AFE4A24B01C896A507F7D0A95C01953F3EBC35EFDD501F25E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:12.148{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04045347991D0DAF87B7D791D6E144BB,SHA256=11B3B934B31D33A312D16DEC8E91B27DE0841EE7287E995424E4EA70F7DB6940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:13.343{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790A9A31D776AB1389AC0E4AB13AEE11,SHA256=78F2F0387E13EDEA2C72C2C788958D05F15AA2B0CA96EFF31705BE2B45D95CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:13.197{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A901719B47E5F08C230B95ABBDE5D9,SHA256=FAD9E478E79D28261F9BF755888434770DDA52BB08BCC1DD922C3C9149511DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:14.432{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D503E0C2DCF14DA208CB556DCC37B5D6,SHA256=D6DFA36AAB3D15E8364C8270313B170F2B666444CB8548100C26DB32573B10B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:14.283{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3A9483EF8FFD27D50E3740769235F92,SHA256=F55D275F02529DE76D25174280B42A9E9CBB3D54F1BD5090C86DBDBD10006836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:15.515{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF4F59F09687289ACEDD6E8A2C3D97C,SHA256=ADE3C34AFEF90F956C4BE512B24357A8819CD29E6B0E198AC858E80C7BC7CFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:15.369{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA87B12CA4DE64B57532F85B1F7333A,SHA256=0E7A3A1B377BF36E4832438F725F7B8E2228A7CB16091EC12CE9255AEAC86223,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:13.140{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60635-false10.0.1.12-8000- 23542300x8000000000000000101473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:16.599{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B32B800EE78959EF62A22D0D04DA2D,SHA256=3DE946873C7396A25A837605A1213BBA8F8D01CAB088E5BC525CB08200601858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:16.510{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACB142AA5545E72B993F5A73B301B8A,SHA256=1036296D4AE4E074BFB04D851CF07C1526EFDCC717C076C8823867BCEF02A800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:17.682{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3BBFD642036FEC38AA2D62D4467C23,SHA256=7BDB3BBB1FDE9FF17FDCCA31AEFE46AD09B77D475EA942A549E4D582077517F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:17.639{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5384093B9ED4D524A5FF6D11BC49C30,SHA256=D0C59A6C47FCCB303B69F8A240D25DE8291775F2A8BBB397A2C85ADB975596F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:18.767{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FD1973D16187FF0F38673F1471BFEF,SHA256=9A02D8F2ECF957DD893AA3A7C15F4C6A3C0908BF47D78E24F39B2D23C021FD27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:18.678{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD44C288981A01E7A2BF3A72C788D0B,SHA256=45F1B1D30EFD86EFED4762C16C0D96D118A473CCB85EF36CA6FCB07E30865368,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:14.873{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53798-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:18.103{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:19.858{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70DE409C771B30FAD9E72E1465D6BA9,SHA256=CB54FFCBAB6E669F49E62DBFDFA16A8915AC6273DFEE6DA8BA559FF7C0EE87EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:19.712{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C178367AF9AE66B52C4A4651871B5CD,SHA256=4E587EE9B6D179B286BA27346C48BB7323153C8602CC50A36926FAC0ABB87F73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:16.780{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53799-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000101480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:20.938{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F0ACD50DC3AEAE99E5DAAE003153F8,SHA256=6DD5F58EB85E98F512D97E9D2AF3673BDE72EE3D6E00225FAD7563652B1928D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:20.764{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186364F6FD98977F50BAF3F275D79EB3,SHA256=EC8ED13D82B4502F64D8EE9D73BA64FCD672FEA0F52FE4BB9ABA463B95E3CF18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:21.814{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BDAE4F4C62EAF232EAD11FCC7925993,SHA256=E18653969E15B98A82F25851D0EFD2759E748198C1AF9413A7031DCF6723C5AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:18.968{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60636-false10.0.1.12-8000- 23542300x8000000000000000196461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:22.869{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A2A79E722E28A64BCDA888B834EC92,SHA256=921BB9A4AE5B57C5558923A6E13D09673BA2A70F93632E0E06A7313315F82FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:22.031{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40D435D12186BF8A52879F33A8B03C3,SHA256=AC103FBA6E521CDFACDF77082F324E029E1761E1BC221F1D53466BA7EC645605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:23.933{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A632E55EED3CE0941242469EBA59E531,SHA256=72018EC36F2C2FC96E1B3E3E292044700636E68FEE7D9B974F7A94DA8AC7AD56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.582{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.579{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.575{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.567{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.566{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.561{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.560{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.557{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.555{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.551{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.547{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.542{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.539{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.525{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.507{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.490{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.488{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.480{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.452{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.445{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.437{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.428{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.420{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.413{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.403{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 354300x8000000000000000101487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:20.755{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53800-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.393{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.386{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.374{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x8000000000000000101483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.371{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x8000000000000000101482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:23.117{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AFBC973CC30476EE548A4C3BC98315,SHA256=FCA4BD877EE7B6AA678827149E6D184BE6E96D31FAADCB898CF053AC3FD11CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:24.972{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=410A900EF7AEE76A3FF52E6E4C77656E,SHA256=C3398ED841FF65924DE675FA7357EE0E1D6B532BF0D262F84D84DC4CCCDEE54A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:24.720{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF149a3f0.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:24.256{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=821C570C5C83AC3B37EAC3B3DAA7C4B9,SHA256=9E1AD85DFF8237C7539B3E0AF5A8CCCEC32B5037C63DC32D819686DAA9960A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:25.284{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BB81B85EA70C4BBAB256DBE2E5CAC1,SHA256=5C61787A6FC72C5CC9BEF17BAD67A5F1DD596EF3FA0E81F5823807014014975E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.921{E8723972-AAA5-6356-4310-000000008902}19608332C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.757{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAA5-6356-4310-000000008902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.757{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.757{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.757{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.756{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.756{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AAA5-6356-4310-000000008902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.756{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAA5-6356-4310-000000008902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:25.754{E8723972-AAA5-6356-4310-000000008902}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:26.369{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=433AFE252D6CBE84525669696F9CEC48,SHA256=A6480DDE0C3AE01A07239CE2C0BDC4CAB42EE9055B3D78511A095F9C1BB46C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.845{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D7DF69FAC74B4FC891CEEC0CC3D62A7,SHA256=44CACAD63F016DF1FEFCFEE48BA5BDF79492316538853E0AE2926B301664FB8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.825{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.822{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.820{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.816{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.609{E8723972-5646-6356-1600-000000008902}130010104C:\Windows\system32\svchost.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.609{E8723972-5646-6356-1600-000000008902}130010104C:\Windows\system32\svchost.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.542{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4090F0C5905980D98B8FD5A6AC2944C2,SHA256=380A911DA6EACB1956309688536C6D5A86F3CDBA522D37E70478BC362722DEA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.533{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.533{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.533{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.532{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.532{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.532{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.435{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.432{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.432{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.432{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.431{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.431{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.431{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.430{E8723972-AAA6-6356-4410-000000008902}908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000196495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.422{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.408{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.401{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.393{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.390{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.389{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.387{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.360{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.354{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.341{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.336{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.328{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.320{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.311{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.301{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.289{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.280{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.270{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000196477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:24.040{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60637-false10.0.1.12-8000- 10341000x8000000000000000196476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.230{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.227{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000196474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.021{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04789350E63F8FA74D40E3612B2D83F,SHA256=A8C2FB0003618CEDA045470A91BD9B0BE75FF7AFC56B42709B045AC99DBA4E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:27.448{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8FDA1D4D419867D63408F9A7698ED4,SHA256=C89A8827D1D167465BE8FF10A5497239501B8BAC54CFB13D94A4785396A84EC2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000196538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000196537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000196536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000196535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\LeaseTerminatesTimeDWORD (0x6356b8b7) 13241300x8000000000000000196534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\T2DWORD (0x6356b6f5) 13241300x8000000000000000196533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\T1DWORD (0x6356b1af) 13241300x8000000000000000196532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\LeaseObtainedTimeDWORD (0x6356aaa7) 13241300x8000000000000000196531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\LeaseDWORD (0x00000e10) 13241300x8000000000000000196530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\DhcpServer10.0.1.1 13241300x8000000000000000196529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000196528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\DhcpIPAddress10.0.1.14 13241300x8000000000000000196527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:27.392{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8893490e-5584-4031-81e5-6dc676818111}\DhcpInterfaceOptionsBinary Data 10341000x8000000000000000196526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAA7-6356-4510-000000008902}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AAA7-6356-4510-000000008902}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAA7-6356-4510-000000008902}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.077{E8723972-AAA7-6356-4510-000000008902}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.076{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BC7B991BF94BCD004FF21717F669B5,SHA256=27745E12DB3F512B4A8808B48615CB294516A620C6FF5407C00A2D976EA7CCD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:25.898{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:28.525{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6111F19DE0E78814113C30D4D7435A26,SHA256=FDC71F40402AFE09669429C5EA6845587A8BCDAE523AD09E773DCE6FCE7C49BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.863{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.862{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.857{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.733{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.733{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.733{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.711{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.409{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.409{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000196541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:26.900{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59096- 23542300x8000000000000000196540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.293{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=824C0F296FA311B1BD9988C3A50494B0,SHA256=17BE42EF6468AEA8DD748B1064FAAF0582F5DB36F92356E40D3B191504233018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:28.139{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFC0E72CCCA71996F597B9374090AD,SHA256=AD0660A30FBA1F7AF27021CF2EBFB34F09A1BD468D86101338D3C9E786E88CDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:29.624{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4DEA2C56F29DC586ABF029919550C7,SHA256=DB99D655518C0306B1D35DDDB693AF1A07EFF949D1111028E778F94FC3F28CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.912{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4405F0E0255CAA5740879BE062E77C21,SHA256=20F05E20438496849C432D70EE80AA7E06CED10244A12E732242E8F7AA2A6FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.848{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A0F36EB9A80E7B9838C1737D3A9831,SHA256=D1E44E03E4F789C6B68CFF6B4978892C803385092D3BF4DADCC5A2BCCC6BA6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.719{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.613{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.611{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.609{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.608{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.601{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.597{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.594{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.591{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.588{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.587{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.585{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.584{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.581{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.563{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.562{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.562{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.561{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.560{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.559{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.557{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.554{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.550{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.548{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.545{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.537{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.535{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.512{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.507{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.496{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.495{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.495{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.482{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.473{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.440{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.432{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 13241300x8000000000000000196576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000196575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000196574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000196573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\FlagsDWORD (0x00000002) 13241300x8000000000000000196572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\TtlDWORD (0x000004b0) 13241300x8000000000000000196571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\SentPriUpdateToIpBinary Data 13241300x8000000000000000196570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\SentUpdateToIpBinary Data 13241300x8000000000000000196569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\DnsServersBinary Data 13241300x8000000000000000196568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\HostAddrsBinary Data 13241300x8000000000000000196567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\PrimaryDomainNameattackrange.local 13241300x8000000000000000196566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\AdapterDomainName(Empty) 13241300x8000000000000000196565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.431{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\Hostnamewin-dc-ctus-attack-range-702 10341000x8000000000000000196564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.420{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.419{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000196562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.413{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 13241300x8000000000000000196561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:09:29.412{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{8893490E-5584-4031-81E5-6DC676818111}\RegisteredSinceBootDWORD (0x00000001) 10341000x8000000000000000196560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.411{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.407{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.398{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.393{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.388{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.382{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.381{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.379{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 354300x8000000000000000196552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:27.283{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x8000000000000000196551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.210{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B246E664D12365300609A623A3A83E,SHA256=819D29E6A4FA531DAC03C7F594D0FCD9F8529EB6CDFBB6272C079E5F0229EB84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:30.713{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D74711D4AB70004E656C54126F72CD,SHA256=D3040D7FD584D00B746BB427E72F4677492733FCA7D663D54A913BB852022D73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.564{E8723972-AAAA-6356-4610-000000008902}80167692C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.518{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.518{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.518{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.518{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.518{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.517{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.396{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.397{E8723972-AAAA-6356-4610-000000008902}8016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:30.280{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CDA472F48B86B9C358DE5482EC49E5,SHA256=25E92861304D758604E6D7EA931DD99C83D291332DA264F5E4BFB566CEB8C718,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:27.861{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl57333-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000101523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:31.815{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7470EDBA3DBBB7E9789DCE41E6EC83BE,SHA256=81A082110542080DF551D8B494B5802BAD93338E2B2D9613F7AFAE2FDA9E1731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.931{E8723972-AAAB-6356-4810-000000008902}26447956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAAB-6356-4810-000000008902}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AAAB-6356-4810-000000008902}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.747{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAAB-6356-4810-000000008902}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.748{E8723972-AAAB-6356-4810-000000008902}2644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000196653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.324{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60697- 354300x8000000000000000196652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.323{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local61612- 354300x8000000000000000196651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.323{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59081- 354300x8000000000000000196650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.322{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55692- 354300x8000000000000000196649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.322{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local58181- 354300x8000000000000000196648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.314{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55731-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000196647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.314{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55731-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000196646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.313{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local61818- 354300x8000000000000000196645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.311{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55730-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domain 354300x8000000000000000196644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.311{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55730-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domain 354300x8000000000000000196643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.308{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local62284- 354300x8000000000000000196642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.308{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local62284-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local53domain 354300x8000000000000000196641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:29.070{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60638-false10.0.1.12-8000- 23542300x8000000000000000196640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.345{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0DBF2F434FC689266856FB458F79CB,SHA256=DE5F831C5C7B400292182F2C3302717B4DB7F20B691FA18E3F5C93AAA55296E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:31.362{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14A7D02CBA6F388521BEE84505F8CF7A,SHA256=759294087886080A1F1AFA7914E4AD788A1EE089905991B5C7566A4FFD83BBDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.266{E8723972-AAAB-6356-4710-000000008902}74882836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAAB-6356-4710-000000008902}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AAAB-6356-4710-000000008902}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.083{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAAB-6356-4710-000000008902}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:31.082{E8723972-AAAB-6356-4710-000000008902}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:32.906{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFB4FE34A66472B3F41C1C6399C0952E,SHA256=3AA8035B09658AD50B0FF57F331B0CEA735F3CD928CDEF3310455D42ECFB9C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.591{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAAC-6356-4910-000000008902}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.588{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.588{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.588{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.588{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.588{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AAAC-6356-4910-000000008902}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.587{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAAC-6356-4910-000000008902}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.586{E8723972-AAAC-6356-4910-000000008902}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.401{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDA3358A4530F9AA8317D46C6187E730,SHA256=8C1CEE26C09F4F512B38E4931D685AC62DCC419FB5B838F371325EB7B5DF2019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:32.116{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=30F5B1C15A216D0640DC1AC70CE758C0,SHA256=0B562B30B156361D3B0952F11CE8F31FAAE763F0CCC14D6C70DB6D99C1A5CF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:32.147{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CBE9FF4AB4C7E116FC61BDCA7CE7B02,SHA256=036CC75CD73D976EC1A3F475FF893BFF84B59CCDF74FF260865B997AEF5572FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:33.989{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF15C0EC80E7510115EA9B29A33F8E16,SHA256=EF7315DF449E192260C88A9964EA103FF7F624E964A878190525F3B7F8C4547E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:33.469{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3A0E54963906011A510E756A03B074,SHA256=0E26E90A708551974DAD0EC8A0D780520607A35AE901C3C7C6D8860254F2A003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:34.536{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53C8F7E5ECA8787FD6142DEE33367CA,SHA256=40C061485B896D9E0F186BF1E5D62055BE1E28B2B33D2C1757B7474216D2593E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:31.802{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53802-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000196675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:35.571{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F526038411450901C90B6523951E1954,SHA256=68344B86DCFAFAE42FF609683B68D45C3556DCF09DABC659ABFDAE1EAF2FEF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:35.046{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F531D81A841338BC2F9275F8ED566E36,SHA256=C45C4614DBBF51534F5E618D15CB90AAB244648395EC3A64E2A6784DB4E16EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:36.632{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D263FBBCD72B5F8808FE4F8B684251,SHA256=6B1B2C8F08915350FA8476619A71B2F46C452DF8DB2B9A506E580CC0DF867F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:36.244{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748CE3199641431FE9B3AC51B1EB807B,SHA256=9C5368A04BE8202EAB4D7A5CE861B87378E73A7D8B4BA0E8992E24A8FEB6EAEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:34.110{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55732-false10.0.1.12-8000- 23542300x8000000000000000196676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:36.092{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-350MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:37.680{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7774439ED20277136A186716FCF13892,SHA256=4B97895E5138D10E2F73AEE8B3AC074FA33E01729C9D086D08A4BEF6135AD989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:37.657{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-340MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:37.318{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA34A9F75CE39D65169EEF5D5DF89275,SHA256=67765F9922CFD36606A2C0826DA89890FC4E22DBC6E80B15BFE06382E8E407AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:37.093{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-351MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:38.722{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8469884E119F3422943F5926FED67533,SHA256=DE4A15A18E65D1401EBC7219BDC573627B340D5A1EB187D81A16044EB5A9354F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:38.659{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-341MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:38.392{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7305959B7B94206C579600363C180D4E,SHA256=D40D10FA8E0FDFC175BFC61F3473A27CB1C7559444160C8449796BFC31A6BDCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:38.229{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4557125B6005616F65E9B768B23F9208,SHA256=6FA228974483FA207BC58584DE995340F1A92A8717923A486D92837AE3C9BDC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:39.798{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D318990A94D626360F4096B06B1A84C,SHA256=29724A82D75AA2308D618303FFC44CB686FC396EBCF7885E56D06B44A6E6552A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:36.921{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53803-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:39.490{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA849DD27B98914966E11F4ABA26C1D,SHA256=5E59D56020A331C71F6FC3118B46FB9D3D4A3973BFA9FEC098D19AC3523B82FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:40.833{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F463CF9D541EE24E020A36F011D688B5,SHA256=BC571E54774EE9A91ABF31839FB9CC312DB4E6C83E1540C78BA37A2BB04E64D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:40.569{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3EA66F61ED8A9FAACAB6CA7DE88E915,SHA256=77A69FB145B04021F3A26E65D3EDA57CE39BFBF468980E5C3809178417BA0E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:41.952{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CB5BD347C94B28E582AEC3B8346D92,SHA256=EC301E366AF79FE915934588FF990ED7072047FE9D978C5ABE2171C61C82F0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:41.653{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEBC320B6AC71AE43CEBBC86BBAB6C8,SHA256=958C6356FCA9EB033E2B5043F709A3DF096133A46C2537DC8A262E78E22EFA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:42.732{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4014FA02B1309275FCFBB49E1D53A003,SHA256=D7B6409FE9256F518408B77DC08690A7A25BD747E76D4BD9C45220271EE6913B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:40.054{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55733-false10.0.1.12-8000- 23542300x8000000000000000196686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:43.088{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78672282AF6D2AE43500B17AF56DC82A,SHA256=79BEF1120A3C48496A42E76C50A3879346EA42EB8B1A208DA2B4F3E3AC9DF798,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.593{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.591{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.586{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.582{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.579{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.564{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.559{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.557{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.552{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.550{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.547{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.544{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.538{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.530{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.517{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.514{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.507{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.483{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.471{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.460{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.444{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.432{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.422{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.413{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.401{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.389{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.371{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000101540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:43.365{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 23542300x8000000000000000196687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:44.126{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2EB20126F7C8523BE6B773B4F0E628,SHA256=6C9174B343C5C8489CCA6DB2EE1BB9DB0C76E05BAADA8411BB0AB036D58E2C4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:44.137{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B841AC1750B58E1AFAD2C2EA1326AB7,SHA256=FED5248B2F36CAC59C62A821F752379C95EED9764621012CA85D153B5BE13A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:45.260{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F730A2E575621C0EF5DF2DA50E78F7AC,SHA256=28603A773E0CAC47549339B8D1D20A797F3DDD005966C124E2027693C1289B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:45.217{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C7FA829A5EA95521019405D88788E6,SHA256=701E7E5EAA591550C989223B561C6E443AC9F1BC5B2522B95F4B884AD4480881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:46.283{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DAEDD4485C11AEB42144912B033591B,SHA256=AFF1CA290E1517BEF65AD3A6D0B56DD30ECDB505D1035042E09F07F36EF9BBAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.844{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.842{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.840{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.837{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.438{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.425{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.420{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.414{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.411{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.410{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.408{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.377{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.370{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.354{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.349{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000196699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.346{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.342{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.334{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.326{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000196695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.315{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750ED35588BC2D9BBE7CCC74385CEB4C,SHA256=1335889E7F87E2032AFFC0CA869974F374765A40E4CF37FDD0A8B0485EA6B63D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.314{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.286{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000196692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.276{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000196691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.268{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000196690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.232{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000196689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.230{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 354300x8000000000000000101571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:42.892{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53804-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:47.359{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734A1784F3817DF34364B0C69AA6734C,SHA256=C7C597E3C44946BD08D6C8DFA9D4E645C466D513886588DE5309DD34FB8E3223,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.039{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55734-false10.0.1.12-8000- 23542300x8000000000000000196715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:47.353{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9803E86F2BC9749D2840B51DD73344,SHA256=A723F09163F92CE623601270A8C4D37E0D57580F029F90D9D11E61B47A786962,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:48.448{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57562BE1B5B63D14ADB5F18B56F2EDA,SHA256=92186E1350E188A960E05DF7C3D0F206CD7B6ADD99BD4EE1048CC674338FE138,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:48.875{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:48.873{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:48.868{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 354300x8000000000000000196718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:46.232{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55735-false10.0.1.12-8089- 23542300x8000000000000000196717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:48.435{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F28BFA9BBE09DE454BC02549C59743,SHA256=0C0898288A39885C70E2ECEBB9E640F85A9CE03A91C7F1EBE7CDEF28F82B8D65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:49.521{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E4C07B232871F13ED2E44979FABFFD,SHA256=B2A9D83B0C81422BA67741B20E6ED22FF40002231D05803BA7EFF4B925D2EF19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.632{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.628{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.624{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.622{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.613{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.610{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.607{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.602{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.598{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.593{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.592{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.586{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.580{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.553{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.551{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.550{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.548{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.545{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.544{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.536{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.533{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.529{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.527{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.524{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.516{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.514{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.493{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.489{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.478{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.477{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.477{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000196736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.477{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C521ACE3F9E221E1F7EA2C744ED6ED5E,SHA256=B6FE4233FCD002B50976803BFDEC0CEC3BA817504398401B02CC83AB25F88DA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.462{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.455{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.425{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.418{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.408{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.404{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.403{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.400{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.397{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.395{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.394{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.390{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.388{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:49.385{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000101576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:50.594{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B6B227804BE524D4EC53A45B0E343D,SHA256=86B964A7A0587ABDD7E33A70B66B50847528943BC8A216BEEBBA01D1459FE5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:50.641{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D008E643F22A1A67241403D7F85DEC71,SHA256=56D0E5C97B53AEF1CFBDFD90B77253372A35E3B151BBDF82D73B08EDCF22EE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:51.662{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BCD7DE9F7F52D12D8877FC6132F763,SHA256=70D0CAE57026DD02C8C9B0E5264FB4BA43172AE6F75FF7AC97D9E2D87C91524C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:51.659{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BEC8B456F2A37C9312E5C3A99FDDA6,SHA256=4F58A13139436654C0466800D3D9B9A7D4AF4613891630C6E3C33D2F0141998A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:47.900{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53805-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:52.759{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35846025D0829F3CDDB5302C34186B9,SHA256=2C3DA83D62151DD78D60B5830F9DFFF9ACA38A8A968F6E84F29ACED7CE68DF7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:52.728{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4E938D792EA41D5D56C697C4301020,SHA256=49E017F5B33AA3F792612352DBF5D45D912EA7DB37AA15E0BBA4C597BDC3B1DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:50.848{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local59984- 23542300x8000000000000000101580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:53.838{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80792E2F322C75E160B8B2AF42B14C22,SHA256=A9BC7375948788F0DCB53528D0BB2DE2DF6A3F75D6198E60EEDB2D7171C388C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:53.829{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D75DE06CCBCBAFA8C115F1ACA06B42E,SHA256=3280FBA968BC0D9AEE74E3898A9A810AA520F15737488E28D83A4719149C9008,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:51.048{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55736-false10.0.1.12-8000- 23542300x8000000000000000101581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:54.920{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910F8D0E0762180FA627316FCF7C9EEC,SHA256=68BCA150B0653B43D7F527E130E739F97FF3632423BC0EDDD6B9C63D606C0F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:54.911{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB22D1905737DC444779CD88AA1CB05,SHA256=BA0929B80652912E8306F539E6F326CAE0A7FD4B1F86DE00F9E1F5755E011CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:55.948{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36D5D08A219D1CF3814B09A491616F0,SHA256=D0F784CFA43B908A45F4343B0E06D5780C4005CAAE19267D9B432BCD48476A66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:52.925{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53806-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:55.999{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4E77FAF3A3E06DF31E51BF8C0F36A6,SHA256=D5F07903EC32C4F94DB5D98AE6D32987CAEB622C60086A91B64BDC0EC4347481,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AAC5-6356-800A-000000008A02}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AAC5-6356-800A-000000008A02}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.844{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AAC5-6356-800A-000000008A02}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.845{3A30D728-AAC5-6356-800A-000000008A02}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.376{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=908AB2E23C51A4E1FB6BA10AB053FF05,SHA256=0763B10A99340069CF170ED6F619226FA459C856B929A3234752B0FE7C80C435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:57.064{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45AFC67759F4F358BAAC168BA7CD696,SHA256=94B36397DD7F2B04856454D76AE3F3320F2035657EC80C3CBB86FBE55DAC115A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:57.050{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1FB9EF4844370ABADBF47C6C636368,SHA256=B56130EDFC2212BD84B386089B579F99430672678260B908C679D47B31349F5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:57.041{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55737-false10.0.1.12-8000- 23542300x8000000000000000196777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:58.134{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96633755562E1B816260FD38F4B1FA56,SHA256=983074A9DCE6DD48FE8D122FB998461434A569A5549717B86CA5F51DEC5DBBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.915{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=137BC15B7592E687F723FC036B33E67E,SHA256=71B0CF67B28DECE1E6E135FD7B3EAE45E0DECA787E53B38A697C7A65B1A7BF9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.648{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3BAB756900DF5A7807F903DBD36225E1,SHA256=A263D8E266B77F1921390DC99FA598CAE339767E9D3F94CD342DF9C0E005DA61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AAC6-6356-810A-000000008A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AAC6-6356-810A-000000008A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.523{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AAC6-6356-810A-000000008A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.524{3A30D728-AAC6-6356-810A-000000008A02}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.281{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=780840BE234AAA3E1EA03DF1B32A23AA,SHA256=02022051A69AF6AD255AEAB28A036D56A0BAF3094D689C26A11FEC731659386B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.165{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8F4C89B25F6ABE3D5BF77591EFE907,SHA256=6CCA4FD2F660C209B6ABA58435CE2738DE74E1C2E7D822AD2D6A7534C47AB6A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.032{3A30D728-AAC5-6356-800A-000000008A02}15761328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.326{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.326{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.326{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.325{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.324{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.324{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x8000000000000000101630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.237{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515F70162E9C5DC98DD532AEF6296D27,SHA256=F051A8C47F98EC145A7229D0B38A1B1730556DFE5185DECDC4ECC78947F913BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.205{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:59.206{3A30D728-AAC7-6356-820A-000000008A02}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000196782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:57.973{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55738-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000196781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:57.973{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55738-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000196780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:59.183{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F014715B1FBF40F8AB9738D506731AF0,SHA256=6B75B6FF4BF979117D68BC488E78AC3C5A10B1F06308695A8302B1FE37224FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:09:59.168{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ED64B688449B5AE59863127D78F4BDB,SHA256=DBF4BE199F872803107AC05CCA40D29FCA3508DA1A636CF25B26FFBEBB4AEE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.583{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E887BAB91405A43258BBE3427952931C,SHA256=4B4C70225B326E774C652A1011E1D28CEC1D78D6C7D30B66A824F9D444A08E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.297{3A30D728-AAC8-6356-830A-000000008A02}3000224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:00.254{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162B6D1EE3CE1FF92BE1AE2E887B62BB,SHA256=E9B5E5E7A3047DBF05D9417CF07C92EEB6EA6E2F1A3EC0C7769222874FC01CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AAC8-6356-830A-000000008A02}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AAC8-6356-830A-000000008A02}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.101{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AAC8-6356-830A-000000008A02}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:00.102{3A30D728-AAC8-6356-830A-000000008A02}3000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:00.185{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=81E335B5B735AF6F6909008144365C9F,SHA256=616C0EEB5CCFEF13D3F5BBFA9BA48C9744B01507D1DE381C4EC85EB15666713A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AAC9-6356-850A-000000008A02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AAC9-6356-850A-000000008A02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.893{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AAC9-6356-850A-000000008A02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.894{3A30D728-AAC9-6356-850A-000000008A02}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x8000000000000000101674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:10:01.471{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8e7ba-0xb045b254) 10341000x8000000000000000101673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.440{3A30D728-AAC9-6356-840A-000000008A02}9723172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.409{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62057B4DD84D175A72470EE5726A9C6,SHA256=7358758523B3352DF994F08076B815B4D2982098D99A38C4610BABFD4243299F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.339{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.339{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.339{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.338{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.338{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.338{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x8000000000000000196785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:01.288{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF646DBD8AA7F9F4F444ACCB2E9B1D34,SHA256=48B090F5A527D3B3411BB1BE07ECE04A7FA9CC62E680C477B06D9CB56F182229,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:09:58.701{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53807-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.218{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:01.219{3A30D728-AAC9-6356-840A-000000008A02}972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:02.400{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4B59EF2F8C893D9C62BAEA605EAA9F5,SHA256=DB5E8EF3F1891AECDB99F2057F3E0B965252D9BF6A723EDF9B53A01392B6D0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:02.358{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C928BF48A35B742A9AC3E99C79548D21,SHA256=B559C2C10D516D7CA09CC3D872328968C77D3D905D1506A6C1C8CF50083E6158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:02.296{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DFE9CE4E887CE3C8927276AB2C2F02E8,SHA256=2D7220689F7633B719C99CFB74D429DFEDAD45AEB44A28C1BAC307F13D9B76B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:02.097{3A30D728-AAC9-6356-850A-000000008A02}25402536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000196788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:02.112{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55739-false10.0.1.12-8000- 23542300x8000000000000000196787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:03.507{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD846140B3B548B51F58DBDE1964902,SHA256=5F1DA49509FE0DBAFE0CB376D78B736867132C996B185A2754396028630872F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.623{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.620{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.618{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.615{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.613{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.609{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.608{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.606{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.604{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.602{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.600{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.597{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.595{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.587{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.574{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.555{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.553{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.536{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.488{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.483{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 23542300x8000000000000000101700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.478{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3CD009F8ED01268D99DC547321B16CC,SHA256=B6659DD3AB1E948F9B6519F477493A1F7CDE79F4620091E3FECBC35367E5C10D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.475{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.464{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.456{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.443{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.434{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.425{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.416{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.388{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.385{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 23542300x8000000000000000196789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:04.553{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C54F2E2A7AD77EF566C5BA7BE8BEA882,SHA256=AC127467ECFD169E673789841CE82BD78384D3737D80BC57D8DDEF71ABBD4689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:04.591{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08874939B4F596338FE4C11A78DA4604,SHA256=4AF681B112DE71123AB9D648C0FC4E65C4395CA802E54998BDFB48380DA8F9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:05.617{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E73D48BF540E953528EF31BA7D94B4,SHA256=B000E42F8BA8AC289D835A334754148F168EE15CE59B707B311B87E29B495973,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.918{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.918{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.918{3A30D728-58B9-6356-0B00-000000008A02}6243116C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.903{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.624{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058D19E561E3480E692769AD9D09C797,SHA256=C8AD3151BCECF70993C86553319D4EF1BA20C53384F6D46516EEE770709D0816,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AACD-6356-860A-000000008A02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AACD-6356-860A-000000008A02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.100{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AACD-6356-860A-000000008A02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:05.101{3A30D728-AACD-6356-860A-000000008A02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:06.692{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40371D9462175F01321CEE4E888827C3,SHA256=8E33E01604CB8EDF6FA2AAEAD6EC1FEDAC7FF4B3A64D8987DDED273DC6730616,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.884{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.874{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.869{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.860{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000196811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.647{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31609A8A2D29718CFEE486A75ED47CC4,SHA256=695C7C5269137EFBA63856B2A6A0A754D7A5F92CAB429189B74240349A84B053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.409{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.396{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.392{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.385{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.382{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.380{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.375{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.352{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.347{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.336{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.330{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.323{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.313{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.305{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.295{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.283{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.270{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.258{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.218{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:06.216{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000101740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:06.214{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=095099175FBF326EB64D19705A23DF4C,SHA256=3D4E44C7B2FA1074DDA5F52C2915C91BFABED519A9B5B916599F995E32E49B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:07.783{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044BB6492768BBF1ABE4F8FE230F193E,SHA256=46ED8182A808E45E52328684CB34D8FAB9F5852E0A44401260FD6EC1CC929A0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:07.856{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:07.692{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F1435ABB5C45DE3F0CD05FF205CDFA,SHA256=295395D7001B73FFA59C10539512DA7B1C7A91EBAF671EF2DA4DB5997E5A702C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:03.886{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:08.861{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A9A852A6EAC7674354C10D79061BE16,SHA256=54B80778B52CDB986E8633B0E0A47E0688668DAF4A3430BF5B1580A3F4EB6E34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:08.911{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:08.910{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:08.905{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000196818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:08.775{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08CE3E5A40A1F57A3ADE24462F82529E,SHA256=86038F4AF703DDAAE5D03121749CCA71E567770E23EE0E951CA9873DC230FAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:09.936{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741AB71EB5DB94D37E6395B4677F84BC,SHA256=418FE5367D76787BE06890FCAB2322BEAA5B0110B8A7282647DCB74E98381DBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.938{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437660BF77C17389D63A2BBB34EEBE84,SHA256=5C79304FAB86023F89FF56B4F8E6CC22B1B62D5AAC778ADFC4B4C20F4D928E65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:07.750{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55740-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000196867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:07.750{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55740-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 10341000x8000000000000000196866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.629{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.627{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.624{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.622{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.613{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.610{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.607{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.604{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.601{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.599{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.598{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.596{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.593{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.577{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.577{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.576{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.574{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.574{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.572{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.570{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.567{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.564{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.561{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.559{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.552{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.550{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.527{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.523{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.513{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.513{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.512{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.500{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.492{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.459{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.452{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.443{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.438{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.437{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.434{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.431{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.429{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.429{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.424{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.424{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000196822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:09.421{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 354300x8000000000000000196870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:07.989{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55741-false10.0.1.12-8000- 23542300x8000000000000000101746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:11.011{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334B2D77C3F939584DFBEAEE43A8F80C,SHA256=D827099EC9EE285A01D8A8D6703B9B920C957786DA8C6C3507A2D14D27D744E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:11.007{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFF000D39E4ACD7BBD66260F16349DB,SHA256=06FECCA632A450B0ADD8133898C2E6C180FF11E4C53F366D215C36E543D73A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:12.077{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBF62356E2A9ADACB2759FB1001F021,SHA256=EBAD3A6138BB3F60C45BF71A78A259A458A8BB27BC1E6C938FC34592C1F6DD04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:09.848{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53809-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:12.102{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F070E3F8D0AA1EF15D08D3FF93542EF,SHA256=BDE14B867DFCA1BFD7598092BC57268EEECFE2FF49E9FE85647B95D9E23165EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:13.109{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C80C12CE20BA36EC691E5D48C39EBBB,SHA256=D88BAED58524E5461EF122A21B73383CD8280E9FD0792F646CDC6F19F891BBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:13.182{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B91B5ABAA233D9606D4F1438697C8FF,SHA256=A14A85F17F603B2B912D82BF29B31DC34538E38B22AEF4664B9707DE2904D543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:14.195{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=133E8A091884D9EDC89C3D21CB2CF24A,SHA256=38353F09E8B4D728FC3BB61840AAB01DD26BFC29070BD7A5C21EF31141973406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:14.257{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2768D1A5B68FBAB49A6824F02E662450,SHA256=3E79413BD3E63CCFD720CA84B37987BAFA2FF1BC9933FB9E9B9EBB3468DB2C25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:14.002{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55742-false10.0.1.12-8000- 23542300x8000000000000000196875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:15.265{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8AAEE99CD1AA3D3B588390FDFF7D277,SHA256=9367455F0D39D27076787824F85CD9A8B7285EEEE695200B8EADDF8C0A704256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:15.349{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE270C7966C3C2B5228D7E4BF2561F8,SHA256=ADE03EAE95892A8F1175A61F381C144C7FD1A841046E375EDCFEF73E4879768F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:16.347{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A184F94DAF2867185A893A6197220E,SHA256=D3CCA48F6006DA49A2E67AF228A8986AE877AE9E51A40067C5BFBD57A14DED30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:16.419{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD10B6C6D39BB808A6B8DB0AE572EC4A,SHA256=6A5EF47284C5E8283FE3E238794BFD44E913649F593E5C1D51467F8EEA62E035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:17.489{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9B2CB9EB99FCB41BA1CF3D1BD1E975B,SHA256=A8DA1A63E13B34AC8E074DB3FFC5A08CE700BA0F32362F911575B971E37CB500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:17.399{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DAE1A6359893647A806BE6A5A62B3BC,SHA256=070843D1E6B3F9EF4A4D27A460789521AD50D49078715B503F7BBA495F18D598,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:15.862{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53810-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:18.572{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2F2048B32E041A75D32E0F3B717B44,SHA256=C8092C1D8B4135283272DE6754873265D71B698ADE1141F00C065CE385F202BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:18.452{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BBB71EFEE94930B3E66D6DA96885A1,SHA256=ACBA6877C37E7C4F2DEB7F913FF5642ADEE34047A7EEEDA16213F765AB291A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:18.129{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:18.316{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=9406603673F1EA04E6444B0FA41937A5,SHA256=80EF54BC040AC8A845D3BF3F822305CC578B1D9983F1932EA84DC770257D8890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:16.806{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000101757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:19.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195818874B30F1CD678D03411E4A2B6F,SHA256=2CF37E0FCC7D6959BFEA96459DA13E5F564605ADF8FD3BEAD6DA0AE2806FC7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:19.871{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=28E037E5618914A9A34990E4C4587842,SHA256=B2D085B1CFA33379FE0C0BB4816CE046D62BBFE015B8C0B0E65B4BC08CCB74C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:19.587{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2160FD97CF61C487EB09895D6BAB80,SHA256=AB5269597C28D04917223BB4911598F793B8804434794AEEF027F5EAA994AD3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:20.735{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DBD37A9EB08F2D2D9DF4769FEAFC70,SHA256=1FCD1DB71D2EDFF4BF41B5F571BF34C4902BCB2C07E531BA02292EEB8B454013,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:19.125{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55743-false10.0.1.12-8000- 23542300x8000000000000000196883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:20.652{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D372DA448FF4130E16FE8C81B1EE7BD9,SHA256=609C40E0BBD1C514287ACF148129B00F82F0F842AF21C285D34C9C7FA1CF1993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:21.806{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF5262F11D3A8AD56649B0E510AA143,SHA256=CB9306123B80D69A7EB18165740ACBC598172B701EAB2AA69B9FD162CB798AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:21.705{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5FBDF514D67DFCB754DB4EBFD067E4,SHA256=67BBABBD24EE44CC574B6D3EFE79C305725A45BC50A393C1A7AA66D3FE112BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:22.775{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4B2609E5C780B84C8B0458477A816F,SHA256=C60069643353103452C2B493B59FDA0A0F9AD76D894E5CBB59989EF0D04EBB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:22.885{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82D49CC26D76DD0E120B79DB55AB2E4,SHA256=FF393F39DA4942E8332020A398FCB717926103519789D5948860D03247F10877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:23.838{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D99FD13FB64542402EA07089160DBDE5,SHA256=CE666CFD957E2D15479C5C8BDCCB930EA5E82315A598876EBCDA7C7887F255C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.582{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.579{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.578{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.573{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.570{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.566{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.562{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.560{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.557{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.555{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.553{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.549{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.546{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.538{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.520{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.504{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.500{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.493{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.450{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.442{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.426{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.417{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.409{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.403{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.394{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.385{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.376{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.365{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 10341000x8000000000000000101762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:23.362{3A30D728-58BB-6356-1E00-000000008A02}14362952C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A00190) 23542300x8000000000000000196888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:24.912{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5678459F9E008C99360632E7542CA3B2,SHA256=7DCF6E4756E2ADF25D16AE78AE76BA46612C98330DBAB562231F8ACFC97642FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:21.811{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:24.275{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296B8DAED4585C6FAE44A58C1DD9621D,SHA256=AE98FC1504B3B7F7ABB59C446C598BBC5148A4D1E92ED1E01437812278B029AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.978{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D48232FF70F192620C0B0EBBC2F85FC,SHA256=FA47C5B5485F477E61AD8C0A15129F2B8553908AACD9126C85B25B22778304F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.936{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D89BFC29A018EF1D3574F04378855C95,SHA256=ADAEDBC95CA32DC30B07AC8ED468AA7DA5ACA0BA629A6645A29B854002A0B72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:25.362{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFB7033ADF9AB230350E822B4A2E45F,SHA256=FA242DA0B278E92861F6C327D7F4AD639112DF63D517BF360DCAC7B6A1AB9A3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.884{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.884{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.884{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.883{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.883{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.883{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000196899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.762{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.761{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.761{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.761{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.760{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.760{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.760{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.758{E8723972-AAE1-6356-4A10-000000008902}9712C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000196891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.477{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_151018MD5=33C421FC9F1CEAE447AA7031F476ECA8,SHA256=C0C21DF761B54A4314247B47ADCA5AC3EB649A043C01B0A543B9301A39A5E178,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000196890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.460{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000196889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.460{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=91ADAD51A0A31DD71ABFAA8F021039B0,SHA256=D74765CD62FF04008B16EC368417923E6E639D8CC03FF4EDD3BDC32C1AD6C890,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000196942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:25.147{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55744-false10.0.1.12-8000- 23542300x8000000000000000101794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:26.448{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9F516D3E8CE84DB37276F67B4EC44B,SHA256=83815488E1A7345A7F28551198BA294ACCDE3C1BBCAFDFF1C1A2027160AA8BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.833{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.831{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.829{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.826{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000196937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.803{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A3B3AA82F15869A741C343CE45E64EC,SHA256=FCAF2B6B5848828DE7E0645816A3E1A6E277CBBEBE6BECF837BE853F52712370,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.624{E8723972-AAE2-6356-4B10-000000008902}59801936C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.453{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.439{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.438{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE2-6356-4B10-000000008902}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.436{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.436{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.436{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.435{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.435{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AAE2-6356-4B10-000000008902}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.435{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE2-6356-4B10-000000008902}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.433{E8723972-AAE2-6356-4B10-000000008902}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000196925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.433{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.427{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.425{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.423{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.421{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.401{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.395{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.382{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.378{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.371{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.364{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.355{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.345{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.339{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.331{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.321{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000196909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.238{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000196908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:26.236{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000101795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:27.553{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372E77554157391C7AC7E3CEC00F2283,SHA256=AA33A073D8317AC28F539FBBC020248EC810E722B163B2BDFAC4F3DD692BF993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.180{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6100DF1D9297389A89276A9F55DF4062,SHA256=65A9E81462B620832453B91BE2640E068805D1A6EAE7FCCD48EAE221D8751EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE3-6356-4C10-000000008902}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AAE3-6356-4C10-000000008902}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000196944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.111{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE3-6356-4C10-000000008902}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000196943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:27.112{E8723972-AAE3-6356-4C10-000000008902}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:28.625{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C441095FDDDC4FCBE1C4867D931BC5,SHA256=7B4E2CE3A00731C7718F5E2ACCDB24191528C62CC055C28D89A4877DE9417846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000196957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:28.852{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:28.851{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:28.845{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:28.711{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:28.298{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A8786E238989597F3A37392CE787028A,SHA256=6B0EF183DA38925E0FD1B93778EED47C175F14EF4A553B0A55C2CCDC0E947EA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:28.065{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504A1CEEDAED507BAB2B78FFE7A960D9,SHA256=CF4734AD71A0048BA9B54247A2CAF510C594EAE5FF278B542919BD6EA28573C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:29.716{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0ADC88D1BD7D216E83A44C3C610628F,SHA256=D8B043421F280246F4F8B53E3825FABF7F3C911BB16A61E864D4A2E98746FA50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.884{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3723127BCE8DA478FD045AB73466C71F,SHA256=A2FCF9566EB22934F8BB8C8DE47EC1A642B097F25E3AA4B4669DA3FA4D7ACE38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.585{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.583{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000101798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:29.352{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF6E42DA7F90086CDD36845937293E5,SHA256=988BAE1DD9CF61C759EFD388A804721E38C81FAF9972EDB0E29E2214AE7D2C44,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:25.493{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl58110-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 10341000x8000000000000000197009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.580{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.578{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.567{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.563{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.560{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.557{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.553{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.552{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.550{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.548{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.538{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.521{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.520{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.520{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.519{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.518{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.517{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.515{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.511{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.508{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.506{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.503{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.496{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.494{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.469{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.464{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.454{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.453{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.453{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.441{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.433{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.402{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.394{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.384{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.380{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.379{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.376{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.373{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.371{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.369{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.366{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.364{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.362{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000196966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.330{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.330{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.330{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.314{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.314{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.314{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000196960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.314{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000196959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.264{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FBBBFA6BBD75B339218D6426609FACDC,SHA256=28ED628E581B03548CD63ECFBEA3873B944C79C155F2A5FCA6C34810556E983C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000196958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:29.130{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16C8891D1D8E15DD40115D17F8DE2211,SHA256=3BF190BB3E3162AD6920DADA6AE6DFA4B8489866AA9C0DAD21F7DB09D234CDA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:30.794{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC51F74C5D0FFC6E34C8935E0C0B9AB,SHA256=65D1F69D96791C0050E404A1336CA23269C9C56FED6CD3F6C778931988E6B0C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.978{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.978{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.978{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 354300x8000000000000000101800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:26.854{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53813-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000197058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.977{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.977{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.977{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.767{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.767{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.767{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.767{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.767{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.766{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.766{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.749{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.749{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.749{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.749{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.749{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.749{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.733{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.702{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.702{E8723972-5646-6356-1600-000000008902}13001552C:\Windows\system32\svchost.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.702{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-A4E8-6356-590F-000000008902}101129992C:\Windows\system32\cmd.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.696{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000197023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.685{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.566{E8723972-AAE6-6356-4D10-000000008902}62129060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE6-6356-4D10-000000008902}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AAE6-6356-4D10-000000008902}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.400{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE6-6356-4D10-000000008902}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.401{E8723972-AAE6-6356-4D10-000000008902}6212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.231{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E4108A0E64E116F303BD6153DA1EE4,SHA256=8B9B2FD2FF480A34EE988B80772EF1B0845656C0BC7963D0883DCBA49A0BD96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:31.860{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89FDE308B53B443392CA249C86B2770,SHA256=0FF941C5C680A6636B642B8B1B66B9D6A70DD08EFFAF1D70301F6148CFF4934F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.919{E8723972-AAE7-6356-5010-000000008902}736010068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE7-6356-5010-000000008902}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AAE7-6356-5010-000000008902}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.749{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE7-6356-5010-000000008902}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.750{E8723972-AAE7-6356-5010-000000008902}7360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.302{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC059F5D1DA1ABE404EC2CD9C3058448,SHA256=210FBAF0AF70DDF832E7DB9E58AD17988ADBB5997597CB0BE54F68814C0D7C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.248{E8723972-AAE7-6356-4F10-000000008902}81768716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E79057F1526BCEB516E44EBDB5C9A28B,SHA256=A95A9B62F82E64CDBA225CD3C4E068524B254F55F005F8D663654FA98C20E13B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE7-6356-4F10-000000008902}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AAE7-6356-4F10-000000008902}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.069{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE7-6356-4F10-000000008902}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:31.068{E8723972-AAE7-6356-4F10-000000008902}8176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:32.929{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8153498A3BC947A8087B567701FF5A,SHA256=8F22F15A0FEEF9C8B773F07C86EAA28CB5814F5BAD87108AAB80469A8B616950,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:30.892{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55745-false10.0.1.12-8000- 23542300x8000000000000000197110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.819{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6366966A1CD5C5AC65FB25B60A9BFD08,SHA256=3BD14DF8D4C035EB312BA67A80484D5F594834522FAB33C818DC632081A336CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.704{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.688{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AAE8-6356-5110-000000008902}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AAE8-6356-5110-000000008902}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.519{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AAE8-6356-5110-000000008902}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.520{E8723972-AAE8-6356-5110-000000008902}6076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:32.334{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CB6CC76CB53ABD9CDA094221EC1041,SHA256=01B0A55097CC5727C7B944F8A3F28AC1D23A9F83E19471FF7E2356F179457C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:32.400{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6D205CADE99418706FD07C0176CE1FBE,SHA256=621AB2EE2378904DBD85FD7FB8BDB7EAC2B72D4FBE0734F054638121EC990A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.437{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A938C2F2A425598FA41BF833388B95,SHA256=E6E3D8DFD7A50F3FF0CCBF0846AD0843A99FFDB84D7C2A747BBE272CDA2380BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.421{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAE6-6356-4E10-000000008902}5496C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:33.406{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:34.436{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194187FBB5746755C15E6B7D341ECA14,SHA256=07CD2A81BFF548A86853D8BEE888E5999CC81B886A03E073213B2DF9A46D93E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:34.005{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F60B2EB6DFB7CF679053A2E373A69BD,SHA256=75F8F41A654A342B8BD3A588166BC0F0DAFCB895F46A5819C1C37454798838FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.907{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.506{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201D03631FD5E98F1983D52C12BD75CC,SHA256=DF11B8A3B94E7BA0F783EC2D6DDD289763BE9C1CB9EAC74F34FE0F23266CF906,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:31.871{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:35.068{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=964D0413EF19C4602409242A29A1CBF4,SHA256=0AD547E8D0C0C4EF9D1523890D54D745E15397BA6B1CFDBF420AD89C853DE28A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.073{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.073{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.073{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.053{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.053{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.053{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:35.053{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:36.574{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C8646EF5C6EFF54EAB81013F5F7A465,SHA256=995AC632E20A6E44BA9FA16FDDCF04A4DEF8CC2A7FB8FDEB19F4C7B20C95358E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:36.127{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B905BF0E6594958530A1D45AEE6B76DE,SHA256=5595D38867CA02A083343B85A0DBAF10887FFCF3DF9B293EFF107EC04E6B9D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:37.612{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-351MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:37.611{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83B2550B918F3A06D445D9E8D3145D15,SHA256=5BC754907ECB521542F472D037EBF80F13949D52E3D2C2E5C4DC968A2C390193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:37.210{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019A8D85924093174FE95DAA87146E91,SHA256=25FD8A1FB643B50CB0FFAAB0173DE1CD15D6D2F81804EF8812791A977A01DA4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:37.209{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:37.209{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:38.676{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44088E33C23610156651A5EC19D5F34B,SHA256=16BAEC368CAE872D020D998663CFD03161EEDB93BD1CABFE3E5DF970EBA37756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:38.305{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AC662BAB0BC5640C638FA7F184457B,SHA256=2ABC8650FFA384A906BA6E36A2D7D7714D65E79B01F75986D9475CF712B7039E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:38.242{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B1510F8E0D2DDE1B0CB24FCDBF27BCF,SHA256=C913BC4C5EDDBE1EA50AAC661C56FB4C132397F2BEB42FF2163F04A89FDADC0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:38.611{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-352MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:36.015{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55746-false10.0.1.12-8000- 23542300x8000000000000000197158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:39.727{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D8DB3E9F10F6BD548E42E0F2A044D0,SHA256=0CA5E229A362DC1947FA0EDCA99D16338E5C97D687FFAC92335FCB0469910AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:39.273{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7229AA3046CF9E04C371217C24D8C331,SHA256=65149B4058D0C14486995CE6A519F0102598F1A88DF44373C34BA855CC45D512,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:37.103{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55747-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000197156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:37.103{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55747-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 23542300x8000000000000000101812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:39.174{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-341MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:40.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826F6CAD49D40C7364384E98FA5C1526,SHA256=A5B8ECEBF59D639E20EB4577F55F2C39F2F8672EB52A1C1A234C9BD7E893427C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:40.351{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259051C11496E757AE46DC336D435C28,SHA256=E2B88659E25631EC653DC7F11D39CBC002F77B3071202CD497F21FB54B70658F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:40.173{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-342MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:41.960{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE6CFCEB87D299A59A31519BBBBF3C6,SHA256=006C9F52B94B779DADF726030F6EE28F0BC5B8EF30064D1F58F3B328A51F4AE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:37.747{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53815-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:41.437{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DA26382207627C9FBCB19C69632316,SHA256=B8C5A536B7190F2CC30A16E8B63BB224B2800C3FB3B4BB1EE9C3B7287A2739B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:41.151{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55748-false10.0.1.12-8000- 23542300x8000000000000000101818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:42.531{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA22FB0BBC97BF96D57DBCC4F73BCCBD,SHA256=5FD64BAFF378C790CDC78431B7AB8BD58FDF3AB9B6EDD5D6CD7617E26E56809D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.962{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6863BC5EF194CC921A8974E5394FD57E,SHA256=09B03859C9797E0E4157842365BB06470B048205E918CE425B1566C2A2457DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:43.016{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081B7E07BFD5846BC2465B7BA95E272D,SHA256=F0965D37BDCD7C66896263C207A217D5788AA818BE322CED0A722281EDB1BD0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.542{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.540{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.537{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.535{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.534{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.527{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.521{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.518{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.517{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.513{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.511{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.507{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.505{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.497{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.491{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.479{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.477{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.464{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.436{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.428{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.421{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.412{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.408{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.403{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.390{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.384{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.374{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.365{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 10341000x8000000000000000101819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:43.361{3A30D728-58BB-6356-1E00-000000008A02}14361384C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FA34190) 23542300x8000000000000000197163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:44.071{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16CF951EE17B1068BFE9C311862538DB,SHA256=06FE9C675D73BE6D81E8C439758602854BFCFDB54A2E72B66A88D55CA8E9E496,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:42.856{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53816-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000101849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:45.032{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08997C24500B489D81042B6BF8A95A9E,SHA256=01106975EB0B649BD9F30D3C84DEF344584008231F1BBD6CC1E5B6BBB7539C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:45.101{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D5494D35F3E1D7C94310D2C25F3962,SHA256=D72D6D910C38DF5CFB47CC34BB9282E9721C55107C3D9D1967E69AEC36ADE248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:46.109{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C6C2C69A8EDEC50437D525DEEECE40,SHA256=C01419737B1BF4C3159336C62FFD3284E73F7F7CEB6A1415D7D333770CA8A00D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.939{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.935{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.934{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.930{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.425{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.409{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.404{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.396{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.394{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.392{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.390{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000197179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.361{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.358{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.351{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.337{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.331{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.324{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.315{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.306{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.294{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.286{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.276{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.266{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.222{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.217{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000197165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.165{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=078E3751C95DF3E23022ABCF1AAD702D,SHA256=3870B05E966B377C602BE79BA8B2C520458DD64F9D3E4B3A3FE32D4EBC09F1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:47.188{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F07127EF2BC7E536CFDDA2B910F617,SHA256=476AC87FA127819D46073E0BFC9E18F9E2F3AA365E9856CF19D9E32AFE59F2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:47.187{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6EF8416924BABBA8243CE17F611DA48,SHA256=A4E977EEDFECE3EDAFE8278C401B172C8523C316E41D237394A99EF1D91D07C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:48.274{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78BA575EFD93436B151B9E6BCE42AB4,SHA256=06CFE7BC1C5DC0AF8C38A9155CCDB6F02D0F9DA6717A6B6B838D64800FACAC25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:48.983{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:48.981{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:48.969{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000197193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:48.221{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FECFFCD2E2E6E9AAAF0810FCEC5408,SHA256=D52959C4F9442530D5E85D6F185FD5AB8E05D0740EF96C4F5F74DC5052904398,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.238{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55749-false10.0.1.12-8089- 23542300x8000000000000000101854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:49.356{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5125E2E7A56D3812CEF9C16416E44580,SHA256=8731613C78C54CF6A1AEC7EBCAB1E1F0323C1782FC90274CE9673251F35AF81B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.742{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.737{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.735{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.733{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.726{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.722{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.719{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.715{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.711{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.709{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.708{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.706{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.703{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.685{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.684{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.684{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.682{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.681{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.679{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.677{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.673{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.669{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.665{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.660{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.652{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.650{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.622{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.617{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.604{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.600{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.600{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.582{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.569{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.528{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.521{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.510{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.505{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.504{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.500{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.497{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.495{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.494{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.490{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.489{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000197199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.486{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000197198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:49.288{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752E3C9E8C2CEA5A39CCA2B2EE143470,SHA256=F7B299BFAE298376D20A61997995B5A7C4978B1BCC6B44D2059CE4DB35CEEE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:46.965{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55750-false10.0.1.12-8000- 23542300x8000000000000000101855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:50.452{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4E8A9EF5E82167E1C311F7049363F57,SHA256=CA2A3FD4EC38751A1112D37A8390B5DACB6CA5010150F85A120B3D0D73D21940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:50.623{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=174DFDF7866A40D6CFF2F71F015DD6EE,SHA256=53823DF2B20ACE7DED912D8DD14C97F28FCE9FC9C2E75E57073F9C9D245E9144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:50.470{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28492E643EE0BA31D25994D94D33977B,SHA256=BFFDDA98558942FD790A9457A61EEE728B00EC3E6968DF289BBD796365493ED0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:51.528{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7220DAE5E46ED4DEB3F7A415005322,SHA256=8203C179588330A6A0C0FF2073FF480F578863AAB78DC48FE079AB023443F4B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:51.490{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA24D1A6E36739AC63671F7A291AFE12,SHA256=2EF13CF082ABF4123FD7A118E4BAC8B6B5678C76A3770AC84FE2E0765C35D90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:51.184{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\2.vbs@2022-10-24_151050MD5=09A618D2615847A8F7E5378078C9F8C0,SHA256=475C882E40DD031C266FB535D42E7DA3C1BCBBCCC156688A1474834CECB9ABE0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000197247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:51.177{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbs2022-10-24 14:44:33.924 23542300x8000000000000000197246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:51.162{E8723972-59DF-6356-B003-000000008902}4440ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\2.vbsMD5=D64967B71BCB39418B7334985077538D,SHA256=9B08AE80EFBD300EB0D46B48E2DB69A8A62799D9FE50FE680268A0B228F82997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:52.620{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F42475CD14F5B78A8585D9A641EBB4F,SHA256=2605167CDA0BB9E85A97D736A4BD61BD7FACCF110E2A98B6209145F817DE3BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:52.573{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3244BF18D2B321C1655F4038AE1781C,SHA256=83C2C698458F57FEE6B89C32164A68959909F7E4BA8EEBF4AD726C98DDA8BB60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:48.745{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000197250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:52.111{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D4A6B895665199145895B0E0015C8D6,SHA256=7DE97C21C98AF3A09D7CD697F6C9BA029DCB24C4EE56015BAE00830537027FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:53.706{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE627646F56E138A2D962EA38435001A,SHA256=B77229CFD5BCE48E3CB4A0B2ED84AE5560486D18B7802DDCE0A31FD40E88A195,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.874{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:53.643{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A109487E948D0B61C00E2D49EE81673,SHA256=A816C8F30C6608361F63532190E15D88E879DF0A2AE62F375B92D920CEE8C560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:54.797{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40C2FFC5BCA8CD6ED83FEB48CD08A16,SHA256=1602F7BB24C89C98B2C9357F198BA56613F9170411B5702AD55EF52E5C2AC53C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.975{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.975{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.975{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.975{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.959{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.944{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-58FF-6356-7F01-000000008902}6488004C:\Windows\system32\csrss.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-A4E8-6356-590F-000000008902}101122492C:\Windows\system32\cmd.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\SHELL32.dll+fdb9f|C:\Windows\System32\SHELL32.dll+fda2c|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.912{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\2.vbs" C:\Temp\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x8000000000000000197262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.896{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:54.675{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20920C681AEA6020E272CC20E8CFAFE3,SHA256=DA67F68FFFD9368E306F613C1736E3C1457663EB70E63B606C3E0FF25BE1DA03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:52.068{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55751-false10.0.1.12-8000- 23542300x8000000000000000101861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:55.902{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37B7EB323C964FFEE5EC5C2A9FB87F23,SHA256=6CD14FFD9B27B86EC494CE54DC8CF5BB119318358C1391EC2D9AC17BA6E3A4A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.996{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B21592B2DDBEB4C1EBAEDACA30C4568,SHA256=ADD002278385588AFD6CB691071E98DEB1713866D835EE4BA119ED08D868D31A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.976{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.945{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.945{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.945{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.945{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.945{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A21ABDE270248299E14ADA95DB0F1DB,SHA256=1079524D0E5B8EE69AA72EB08F3DD40B54A34BA401BECF86E89533C71811530F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.929{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.929{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.929{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.913{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.913{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.913{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.913{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.140{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.140{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.140{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.140{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.140{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:55.140{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AAFE-6356-5210-000000008902}9252C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000101862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:56.976{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0535667D8F6787ED4572A96458F42EA,SHA256=EF7C6CBB78EF1C858DB8E763E79BF366696D9B8F0A50733F5E31A914D1AD6528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.979{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.979{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.932{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.932{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.932{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.932{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.932{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.932{E8723972-AB00-6356-5310-000000008902}15244868C:\Windows\system32\calc.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\SHELL32.dll+100749|C:\Windows\System32\SHELL32.dll+ff2f6|C:\Windows\System32\SHELL32.dll+f1bc9|C:\Windows\System32\SHELL32.dll+aefce|C:\Windows\System32\SHELL32.dll+fe2d3|C:\Windows\System32\SHELL32.dll+fe19b|C:\Windows\System32\SHELL32.dll+fdab7|C:\Windows\System32\SHELL32.dll+5b20e|C:\Windows\System32\shcore.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000197352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.921{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\System32\calc.execalc.exe 10341000x8000000000000000197351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.898{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.898{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.747{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.732{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.732{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.631{E8723972-AB00-6356-5410-000000008902}52485280C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115196|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.596{E8723972-5644-6356-0A00-000000008902}6249588C:\Windows\system32\services.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.595{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.578{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.578{E8723972-5644-6356-0A00-000000008902}6242840C:\Windows\system32\services.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.578{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.578{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.578{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.578{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.562{E8723972-5646-6356-1400-000000008902}10528824C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-58FF-6356-7F01-000000008902}6488004C:\Windows\system32\csrss.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.547{E8723972-A274-6356-DA0E-000000008902}47208348C:\Windows\system32\wbem\wmiprvse.exe{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\system32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\wbem\cimwin32.dll+3adce|C:\Windows\system32\wbem\cimwin32.dll+3d475|C:\Windows\system32\wbem\cimwin32.dll+3ab15|C:\Windows\system32\wbem\cimwin32.dll+3b393|C:\Windows\system32\wbem\cimwin32.dll+3bb40|C:\Windows\SYSTEM32\framedynos.dll+20256|C:\Windows\SYSTEM32\framedynos.dll+218b5|C:\Windows\system32\wbem\wmiprvse.exe+1704a|C:\Windows\system32\wbem\wmiprvse.exe+1724f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+6543c|C:\Windows\System32\combase.dll+650f2|C:\Windows\System32\combase.dll+63998|C:\Windows\System32\combase.dll+6178d|C:\Windows\System32\combase.dll+60e5f|C:\Windows\System32\combase.dll+7c369|C:\Windows\System32\RPCRT4.dll+35824 154100x8000000000000000197329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.552{E8723972-AB00-6356-5310-000000008902}1524C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEcalc.exeC:\Windows\system32\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding 10341000x8000000000000000197328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:56.531{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB01-6356-870A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB01-6356-870A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.856{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB01-6356-870A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:57.857{3A30D728-AB01-6356-870A-000000008A02}3476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000101863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:53.936{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000197386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.733{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7B1820A9C0A2DC545E398F9DF87FB85C,SHA256=88258A92E5AA10BF62E7CB79A0A983B5F0B28EC4E480B3F4B53B43BA4F3058CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.292{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.292{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.292{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.271{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.271{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.271{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000197379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.231{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=59CA29573D64E0C01DF323E170F3D71A,SHA256=136B98CAABF049F5EC3E075711E4FA3F2F9CB7359728C0286027D2DE05287505,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.195{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.194{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.193{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.192{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.192{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.186{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.186{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.185{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.185{E8723972-5904-6356-9601-000000008902}52567104C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.184{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.184{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.184{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.183{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-AB00-6356-5510-000000008902}8992C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.171{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.171{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.170{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.170{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB00-6356-5410-000000008902}5248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000197361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.118{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A37A11E301D179126C491BD2A013235,SHA256=80E044948B4F384F4F983E13E5365B1FB22A8B222165A048FC87C9FEC77B2D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:58.129{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E853AAD65BABB8A6BB026232618F9B2F,SHA256=4C5C350BEAEDFF489060F42DE000B0333A35ED43DD5A2217682B00D4F248591C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.918{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227628DE72957EF5D6B877713D306392,SHA256=5B3E2B093E52659AD6758F0B27C4F9D302ADC079D9204000D8F7474033500938,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB02-6356-890A-000000008A02}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB02-6356-890A-000000008A02}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.886{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB02-6356-890A-000000008A02}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.888{3A30D728-AB02-6356-890A-000000008A02}1816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.652{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=89FDBFA239BFFFD7BECC517BC993EF2F,SHA256=B99A996102611A2702744FD3B1C796D99032C6ECAB5E34E0D55E1CBBC2D816D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB02-6356-880A-000000008A02}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB02-6356-880A-000000008A02}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB02-6356-880A-000000008A02}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.386{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.388{3A30D728-AB02-6356-880A-000000008A02}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000101878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.271{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=781012CA4DE1C818FCA234C8F3EA01C3,SHA256=C08371D8EF4AD572FCD6D0A96FF91AB2E740F744F747868568396356CC31CA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:58.091{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEDA19F8F91FF786CE3E58F720039DD,SHA256=0A566B3844371B8D63BEB8EA7DD73C690AAB7CD85108E390A3B21FC03DD2FFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.334{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=274B63D7B8BD33D7135CEA173AFB1A47,SHA256=AEF196C7153DE83F0DAD272F28631B765AB6CA9484D0FE89E1A1CB44EAA589E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.234{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF368003DBA36D402380E4250084B3E0,SHA256=C50E1FADBBF6EABEDE4F6850A80B79C4F8828FD604260A1D635C294E114D82C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:59.233{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F8BD4767FD182D95408F199B5AA444,SHA256=280F0F8FE98B783A325EE55337076EE5F632C2671B3EBCB302FF907F0D0B830C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:59.152{3A30D728-AB02-6356-890A-000000008A02}18161000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+ab315|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+ab22e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52566428C:\Windows\Explorer.EXE{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:59.002{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:00.282{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88D13BE452B8B81368573790636A94B,SHA256=3DC7BE26CECDEC0DB74D9D7000A41A2C6B7ECCCEFD68CC2072640195816C0B69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.378{3A30D728-AB04-6356-8A0A-000000008A02}3300404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.301{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.301{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.300{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.300{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.299{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 10341000x8000000000000000101923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.299{3A30D728-58BB-6356-1E00-000000008A02}14363052C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900610) 23542300x8000000000000000101922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.265{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E760581A95828A84F7B2B436700C9F58,SHA256=C177515419BB2BA1B56B2A494F14717D301DDE54050D615284480CECA691D657,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.988{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55752-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:57.988{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55752-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 10341000x8000000000000000101921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.115{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:00.116{3A30D728-AB04-6356-8A0A-000000008A02}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:01.321{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D8A987D8C29B0EB78E7A680AFC8223,SHA256=A7A2E0B99E6C934C46D8969B46224C9B01D978389A1EDABD4E0DF31C2340DBEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB05-6356-8C0A-000000008A02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB05-6356-8C0A-000000008A02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.904{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB05-6356-8C0A-000000008A02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.905{3A30D728-AB05-6356-8C0A-000000008A02}2012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000101944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.461{3A30D728-AB05-6356-8B0A-000000008A02}31683216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000101943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.368{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9446C126B076A3EAB1071FDAD50432A0,SHA256=5D85DA4CA69849C3D33445CA0B5274F5083C510E2CCE2BF4B7119A5E5FD905BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:10:58.042{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55753-false10.0.1.12-8000- 10341000x8000000000000000101942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB05-6356-8B0A-000000008A02}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB05-6356-8B0A-000000008A02}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.239{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB05-6356-8B0A-000000008A02}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:01.240{3A30D728-AB05-6356-8B0A-000000008A02}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:02.470{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB004FBC1ABC1804313C89412D614D73,SHA256=D28C848F647413037F1C20F26F72E281D8BADEE7D176F42607E8771B37B2F6CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:02.599{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B0137392FF3B094DD087B7E4B04FAC7B,SHA256=DFA9588DCAED4AB671DF101CFD7B9651E3305827EF3F5F4E132E82481B8910D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000101960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:02.427{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC596155B9F516289D13AA87826830CE,SHA256=9333BE06AF23DB9E7982DFD5632BF4CC3F6D6BB7FABD943CFA6845659A57E767,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000101959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:10:59.782{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53819-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000101958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:02.186{3A30D728-AB05-6356-8C0A-000000008A02}20121440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:03.506{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67E3F210CC9C5F5B0FCA7A8B97457C2,SHA256=759E0F661B51D052A1019A72069B072245BA7969112D7AE4A94424A0A476A879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.641{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.639{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.634{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.631{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.630{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.625{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.623{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.619{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.618{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.610{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.605{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.599{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.595{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.575{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.565{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.538{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.531{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.513{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 23542300x8000000000000000101973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.511{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537C9F8ED584C25107CC1E3B6E75A80F,SHA256=92B42042D5B86F31DC32FEAD18828A04AF3C02D5B1F1DF6A3EF11FF48E9DEE17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000101972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.463{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.453{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.444{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.426{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.414{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.403{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.388{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.384{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.377{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.373{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 10341000x8000000000000000101962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:03.365{3A30D728-58BB-6356-1E00-000000008A02}14364076C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000017706190) 23542300x8000000000000000101992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:04.481{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E3C701FBD5266941465E9A07422808,SHA256=23CDB94FBBAE9B704329A2341AE93D2FC759F41FB752B84E27BB951E8F99DAEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:04.557{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4619AAA3709D31157BD9A6333C4A0A98,SHA256=05DCDB45D10D343C307370D50175988F2B65F384E5F792CFAFBC7553422F4E63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:04.473{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\datareporting\glean\db\data.safe.binMD5=B124843F456D5AA366BFFF897C93601D,SHA256=2E47D8BC8EABB12BB771575CAF9A34255C38CA59C7213F9B2783C67E87889AE7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000197416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000197415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014b2f72) 13241300x8000000000000000197414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b2-0x748b78dd) 13241300x8000000000000000197413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0xd64fe0dd) 13241300x8000000000000000197412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c3-0x381448dd) 13241300x8000000000000000197411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000197410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x014b2f72) 13241300x8000000000000000197409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b2-0x748b78dd) 13241300x8000000000000000197408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0xd64fe0dd) 13241300x8000000000000000197407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:05.959{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c3-0x381448dd) 23542300x8000000000000000197406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:05.607{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=252828F64A68E9128825AB9108C692E8,SHA256=BB1FF693DCB764B4460D586793A9F517528A50CB921B6633C128A5CA20297474,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.938{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.937{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.937{3A30D728-58B9-6356-0B00-000000008A02}6243116C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.914{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.563{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C744AEFBC0037FC1F40D85061D886F2,SHA256=12454392EFC69E2756D5D5A226BB7BDA0F6D1BA1D55BB0623E88725AF7746EE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB09-6356-8D0A-000000008A02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000101995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB09-6356-8D0A-000000008A02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000101994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.114{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB09-6356-8D0A-000000008A02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000101993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:05.115{3A30D728-AB09-6356-8D0A-000000008A02}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.929{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A422674DFFD6F589E48F1ACAAE804B,SHA256=95AE4AEA8E35A19820260018568642BF3C04AE5828BE56E6CF9E3DC689EFC155,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.843{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.840{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.837{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.832{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000102013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:06.916{3A30D728-58BA-6356-0D00-000000008A02}7723908C:\Windows\system32\svchost.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:06.644{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5ACC9BE55A1BAB283F75E4D754DA03,SHA256=5B7A7D636192EE4689F52463D28E2E330AC5F6F0E67D0CAD7008AA89B93370EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.415{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.403{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.398{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.391{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.387{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.385{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.383{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.355{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.349{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.335{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.323{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.316{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.307{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.297{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.284{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.275{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.266{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.258{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.217{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:06.215{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 354300x8000000000000000197417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:04.033{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55754-false10.0.1.12-8000- 23542300x8000000000000000102011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:06.205{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8689502AD052557AF988D23BD9FACFAE,SHA256=7CB1DEBEFB67F4E58F41FF7E56BC5BD0387834408B90F10A9112CF3A9D04FD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:07.931{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA309D58E1E260E3065D17607913A10,SHA256=0E16E13ACC81A7DD3175E1E18E40AD17D336E39E02681CFD7C6DF94D13C85DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:07.737{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605FB6EEA27034D5DFBE3722D9CE5581,SHA256=BF6A959611DADEFC61987E57399C17E76F4714CEEE8D2375AA96C5DE99E5BE95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:04.848{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53820-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:08.825{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3764E4280C14B0885BF8B7302570E790,SHA256=A101DCE941564191370E5AABBA0A51CC4A5C9332E4888D93DE79B22D74730538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:08.871{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:08.869{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:08.863{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 23542300x8000000000000000102017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:09.922{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974F7F87BA0C08716F1441AF219294E1,SHA256=212B8986CC97898E0136C86ECB9CE8CF9BEA0FD1F3CC745C6C12E6216CAC86A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.716{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.715{E8723972-5646-6356-0D00-000000008902}912932C:\Windows\system32\svchost.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.596{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.594{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.592{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.590{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.583{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.580{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.578{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.574{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.571{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.570{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.569{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.567{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.564{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.544{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.544{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.543{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.542{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.541{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.539{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.537{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.533{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.530{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.526{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.523{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.516{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.514{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.490{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.485{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.474{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.473{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.473{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.458{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.449{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.417{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.411{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.402{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.397{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.396{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.393{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.390{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.388{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.387{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.383{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.382{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.380{E8723972-5912-6356-D001-000000008902}56045576C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012E003D0) 10341000x8000000000000000197450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.248{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.248{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.248{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.032{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E8C267E048D9D15C99928DC63C8AF9D,SHA256=1F9518452507CCFF0200E2A74BB63F89666A181184DBE68BAA37040F568BD96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:10.249{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AA73316CFC13BCE79B69AFE7018783A,SHA256=9275CD65841016FFDF4693A8B19A720D1D5C80B929C8226C5C4B9597CC96FDAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:10.233{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B8DDC2EFDADCF0F013128364E28CE4,SHA256=284275BA9E26B26D693E4499E9CEA565632659AC790F70867FAFF49F18B2E4EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:11.315{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F373A54FCC3EFF140749F31A4E160EA0,SHA256=BB2BE66E4F362D9D58215BC7121E18880064FD26265060C57047BCD584CAFE3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:10.999{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62B95AC895D9D08CB9375EF9182FAEF,SHA256=118E37CA54C72B3E505F1C2B253A1F986658404676E8B999E2777638F5E9621A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:09.055{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55755-false10.0.1.12-8000- 23542300x8000000000000000197535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:12.368{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37214CE2EA1BB330D0CCF3043700B3A3,SHA256=F96E6AFA9FD6DE01F032EA60EA989BE9B8BA0701C8627E5B8F9C7E9DF47B12C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:12.085{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EF1A791F1DA3DF29DA93C396E85272,SHA256=2DA18538B7962264D3502D589F3DD86AD08BA03B40022FC0516F60A4C855A15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:13.438{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6E5F3DF58DE84569E7153F11043106,SHA256=E71FC431FE85D0438D7D27A449B1BEC902FE13A4CE51D74AD4F7964957A732E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:10.745{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53821-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:13.172{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7FD4195492F307B09EC7DF087BD88E1,SHA256=C046D006844E8FDB07F78A0CA0FD871CB3A0FCE1B6DE7F9B8803ADF5A09B74D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:14.488{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CB0DCF1D34DEF56426739187C121ADF,SHA256=F918189DCE415B9052466EEB6C6CF595997CEDABF0AE794C609D8965F1780B2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:14.244{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61D9F9DF0BBA44E9A6B51FA1401BF6C8,SHA256=3C39D1D4C707F8C2684524738587A1258C4BA7C2483965D664E0E681F39AB85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:15.543{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863E46B6DCF4B1008E0AE68D6B8A8E33,SHA256=3B3A8DE18887749C99A225FAB468364742AF666590FA3CC90E1F1E0D69A0964E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:15.332{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96478E1558425AB72F2267E8403A6775,SHA256=9590DC571F4FC187ACB0FADB0B9568BB27651D35058266F32CABEC19B294C627,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.660{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5642-6356-0100-000000008902}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97ba2|C:\Windows\system32\kerberos.DLL+79d58|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000197543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.660{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.606{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B11BCB81A368EC82506435919370D2,SHA256=D74127C276313FA1663C3301E93AFF662B3FBAA23A180A1A26F4203764ED8484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:16.402{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C5432063DC93852F68A113A1A75D526,SHA256=AC5BD454E51B22234F2E91221042ACBAE12DD3FCB12229E23FE8F78CE55FC36B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.559{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.559{E8723972-5644-6356-0B00-000000008902}632812C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:14.950{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55756-false10.0.1.12-8000- 354300x8000000000000000197552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.455{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55759-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.455{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55759-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.454{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55758-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local49666- 354300x8000000000000000197549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.454{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55758-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local49666- 354300x8000000000000000197548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.454{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55757-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000197547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.453{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55757-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 23542300x8000000000000000197546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:17.728{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513D82656FE2BE6A8C91B43374C1BFF2,SHA256=BE97D519E1E58C1CE7FEB4D569E1B4C98D2A38F29D4C2836592BB9766303A318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:17.676{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FBC3D6039506E9C2280C7181D2CE8F4,SHA256=960AAFB7BE23D314E082235BC325C4563DD8B6490EC339B49D38169ADA92876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:17.494{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A633BBCCCC43052848840E58B12173B9,SHA256=639A4072C5CB153CFA52F392AF5F2A866D0341AB31EDC39DE2717BEF25E83CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:18.744{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991AEBC49949F4C69001ED779C31F058,SHA256=327D6A0D415970D64A2D207A505F52489C87354AC19013F8B530F6639CA8C3EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:15.837{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53822-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:18.581{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3DF7E6FCA0F2648D05CD45C1FE61CC,SHA256=CAC7306ADF56D56C04502021DFF4919DA191EBF6800F88D56D9B589532864862,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.558{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55762-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local49666- 354300x8000000000000000197557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.558{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55762-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local49666- 354300x8000000000000000197556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.557{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55761-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000197555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.557{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55761-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000197554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.463{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55760-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.463{E8723972-5646-6356-1600-000000008902}1300C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55760-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000102026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:18.150{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:19.775{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D9E2B32CEC122EAA04D6F53ED6F37B,SHA256=06FA28FA244120E2DF3707B5BF3CBC2E21B8F289FA855A90A4CAD6D6CD3EA272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:19.664{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0294CF4F7B997EAA6DAFCE96CB13B8A4,SHA256=30A117E7F24FAC504D04A028ADDABD059A13FEFA303366A7B471DE751764E7B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.562{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55763-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 354300x8000000000000000197560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:16.561{E8723972-5642-6356-0100-000000008902}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55763-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local445microsoft-ds 23542300x8000000000000000197563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:20.906{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C8F8A51BFDA881FE24702D03A2CFCA,SHA256=CA8CE2B79494C76032094714DFE631BB945E82D39FA499ED30642B1CD00BA26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:20.753{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAC4764A2D7D595D7F12F3806B002C6,SHA256=DF34E1C46F660D9903D71BA500DA4D3664F6995926EB3D051CB372925D431DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:21.923{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194C04482A225DD0472E706DB2A9A9D0,SHA256=EFD2DFC91BD5D5068899A6F7E00908EC7324E5E4C3410989FF8FB625642FA96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:21.823{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF43D5E277955DDA92E31ED4DEEA880,SHA256=8B7A5AFBAA36A69DC6847AB7A13EA608D1036371D00159A70A2F61CEB9F9AA00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:16.827{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53823-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000102033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:22.896{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD2FA77F56EF10E399A11F5741F65A4,SHA256=6EB054B624EF7FEEA789DC69EEBA0E1FC2D12774B14A164550F5123D62B548A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:20.952{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55764-false10.0.1.12-8000- 23542300x8000000000000000197565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:23.043{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23109A7A02E99B9D4DFB46C737685914,SHA256=13BFBFEE02F126395D691BEED949A21C72C92E6AA025933F7DE680D9AD0BB06C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.636{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.632{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.629{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.624{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.623{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.615{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.614{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.610{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.608{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.602{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.599{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.592{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.588{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.577{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.562{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.538{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.535{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.517{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.478{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.467{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.455{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.442{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.425{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.418{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.406{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.396{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.385{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.370{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 10341000x8000000000000000102034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:23.367{3A30D728-58BB-6356-1E00-000000008A02}14362988C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A86190) 23542300x8000000000000000197568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:24.726{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF14b78c0.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:24.158{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AC2E1F23AC6CC5DD48788FFFF61420B,SHA256=71C5EEFC12B48C33000C9A19AAC7AECE6BD1AC43571EAD09D5D6AECE6525D11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:24.072{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23C74586568EDD48D60E0FA62A071D6,SHA256=75B93434DC7FB80351F8F3EFCDC38FB5CE362A7D3C11BBAB1FEE8FABC4E2083F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.926{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB1D-6356-5610-000000008902}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.926{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.926{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.925{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.925{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.925{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AB1D-6356-5610-000000008902}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.924{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB1D-6356-5610-000000008902}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.774{E8723972-AB1D-6356-5610-000000008902}4776C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:25.189{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E6701407E64E9D8492B4E67F66ADB0,SHA256=2409565EF87232DCFD341C3E3B4EA40D491AC19BF9FDE97ADB73CF3A99015C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:25.177{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A25394A9F9F1CFF0FB6F6AFA617ABF9,SHA256=B98744A494A2E44FA5D657D4712E84F6B4D4270407935B4B329E7B0C0AF37E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.855{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60D2D54878123148A2B9F91605373214,SHA256=E628FBC48D551881366C38ACE074D7F13980A8182A1A01885DBBADFED4FFEBA0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.831{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.829{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.827{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.823{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.776{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB1E-6356-5710-000000008902}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.774{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.774{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.773{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.773{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.773{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AB1E-6356-5710-000000008902}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.772{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB1E-6356-5710-000000008902}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.619{E8723972-AB1E-6356-5710-000000008902}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.445{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.431{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.426{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.418{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.415{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.414{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.412{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.386{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.380{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.368{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.364{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.356{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.348{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.339{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.329{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.311{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.302{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.293{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.236{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.233{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.219{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E529996FA69B4B3965CA485FB036CA4F,SHA256=D04A4860E24901E38F73247B6CB094586C271038781A7271908B3D622314D936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:26.234{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AE54A3262677FE0DDFB45650D3DBC1,SHA256=4FB9E069AE39D5A3FD4177D9D4310F5A13CE2C1827C2B8B2F11948ADAD4020A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:21.760{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53824-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000197621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.567{E8723972-AB1F-6356-5810-000000008902}26686356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.504{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12FC6896B3D032213C77E14509964AF0,SHA256=8D0C181EC347E5A6EAD7439BCEE85C22D6CF23E387FD4140D24230923C5F478A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB1F-6356-5810-000000008902}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AB1F-6356-5810-000000008902}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.408{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB1F-6356-5810-000000008902}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:27.409{E8723972-AB1F-6356-5810-000000008902}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:27.312{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51C1D1BDF0077F39F819D2AC958330F,SHA256=A5756B4A5D29C732BE8DF8D63B77DB29F9774F2E7A5638B3367576B4AD6EE3DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.874{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.873{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.867{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.710{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.449{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA99C8674B89E58F77C83C98FFBCA3,SHA256=BD164602DB7CB5588EA81FF4F049DBA89F44394121228271657DFB5A8EDAA33E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:28.388{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12010273EBF63664657E068FCD2EBF9B,SHA256=B8B9A8063CA44A6913A8EB1A73FF266531C4D90FD3059326DABDF8545E78335D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:26.066{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55765-false10.0.1.12-8000- 23542300x8000000000000000197623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.304{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ED291EAF872A11D318CEA50AEE064B4C,SHA256=692EE04ADA5E761C6B0AFA29A3C07559242590B6BF1B45D8002269770E0B606D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:28.120{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.615{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.612{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.609{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.607{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.599{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.596{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.594{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.589{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.586{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.585{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.580{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.578{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.575{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.555{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.553{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.553{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.551{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.551{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.549{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.546{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.542{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.539{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.538{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6D909CF4D5E18E4795FEDE660ED389E0,SHA256=3FD0C6952780A6E9C99C569DED21118308298A253D7AE0C072F3C9DA1B042774,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.536{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.533{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.528{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A279638B943FF6DC98D04FBF5DC47CB,SHA256=A7B0749158306D31BE8A5EEF5322227FD430E99B432D462954A5762DA907CC39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.525{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.523{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.498{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.493{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.482{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.481{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.481{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.465{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.456{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000102069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:29.458{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACE74A9BAFBB05ED3F3D32917851145,SHA256=B930331D614C1338AE3223BF1BECD3DDD7A601F44FF9C0107FD79AF87AF51F58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.422{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.411{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.401{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.396{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.394{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.390{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.388{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.385{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.385{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.381{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.380{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:29.377{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000102070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:30.519{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC5787AFD67CB7263CE71091B0A64EA,SHA256=094FF7C5E88FAE11E0B200FAF10667FB8E0707F76A85C5A108BAD32280DCA2B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.768{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EC3288AF81AE6A9192A472A98D3D46,SHA256=6BEFA43FD7515FFD1CEC2BE866849F5F4006B3BFF3546E7E7577FE8220926A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.752{E8723972-AB22-6356-5910-000000008902}40126412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB22-6356-5910-000000008902}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AB22-6356-5910-000000008902}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.552{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB22-6356-5910-000000008902}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:30.410{E8723972-AB22-6356-5910-000000008902}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.618{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF466C4DA05C33180265B07ACA9B7456,SHA256=889718E26B1FBFA1CC3BDE7AF2DD06E934257825004477D66A008EAC388239C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.602{E8723972-AB23-6356-5A10-000000008902}52527096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000102072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:27.780{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53825-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:31.593{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E80785442DA7E4F4A195BC99491161,SHA256=D55B2227858A6B2D9CA1274D4F4933950B0BF09997FCD29991858FE3B003BBFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.431{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB23-6356-5A10-000000008902}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.429{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.428{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.428{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.428{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.428{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AB23-6356-5A10-000000008902}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.428{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB23-6356-5A10-000000008902}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.284{E8723972-AB23-6356-5A10-000000008902}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000197714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.998{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB24-6356-5C10-000000008902}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.995{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.995{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.995{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.995{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.995{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AB24-6356-5C10-000000008902}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.994{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB24-6356-5C10-000000008902}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.820{E8723972-AB24-6356-5C10-000000008902}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.840{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA3FE987EB30AB6C9EB7A46E164A371,SHA256=C277085A6C3BA038EE38159D188EE3139115880B172036E58CE274AF850BEB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:32.761{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8C183F63CA3BD63CFF6029CAF13DCF28,SHA256=1C41C50ADEB2E9FBC1020565AA161F22CE011356B9286D0C00B3AB582C85238D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:32.668{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2809F2872992847835CBD4A9046331,SHA256=A072459F7556DFB5B7413B5DA9D9B04355AA0930C4FE5F3EC26E99F877659514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.318{E8723972-AB24-6356-5B10-000000008902}61128856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.139{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB24-6356-5B10-000000008902}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.137{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.137{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.136{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.136{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.136{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AB24-6356-5B10-000000008902}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.136{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB24-6356-5B10-000000008902}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:32.135{E8723972-AB24-6356-5B10-000000008902}6112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:33.927{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A94117C186591847E1FB96DD7609576,SHA256=5F008C56CC23982453C8820B7A7F1C0A4C6AE53350145D00F50E3DF7AAE8E5EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:33.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870ABE0601B64E5C38D8B6C4C0BB2C5A,SHA256=0428178B740C3B53C567828A86EA67B8B2CF188D59E79858D5BD536252A53430,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:31.129{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55766-false10.0.1.12-8000- 23542300x8000000000000000197715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:33.158{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AC28D86551C2219A43EF605CE8BBC0C,SHA256=D84A936F223810D2F1557F1922DE9A59021E1A38853F5DA6329B1EA18C2396FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:34.836{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE241391227BF61B6815DB86B2A6B7C9,SHA256=A2BCB69791D24A24B75E66DAC08EF497F3A143A4DFA9F3E078B38AF4D9C64001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:35.919{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130BFE9F9915652A319CC9D6EC3A66C7,SHA256=8750AB00A9C33BB36B515ADBB4188B5A3D69A620BC6C7DBE2592DEAC3D25CF02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:35.026{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB10C8C44B4995A4BF0FBFDFC0C343A,SHA256=70F3070AC33C86E2F36B396622B2375761E36E96A9AB163DA97D15802650F2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.958{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e74e98|C:\Program Files\Mozilla Firefox\xul.dll+e623f4|C:\Program Files\Mozilla Firefox\xul.dll+3842e64|C:\Program Files\Mozilla Firefox\xul.dll+38be584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+17cd7ac|C:\Program Files\Mozilla Firefox\xul.dll+1a961d4|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000197722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.492{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:11:36.490 23542300x8000000000000000197721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.492{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000197720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.490{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\SiteSecurityServiceState-1.txt2022-10-24 15:11:36.490 23542300x8000000000000000197719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.143{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4282A736D9D7817BBBF920D5ED435197,SHA256=F9449FF6E293583880BEEFBA95857266277ED4C6DADF1AC1569E325936563B7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:32.799{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53826-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000197759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.993{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.993{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.993{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.993{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-58FF-6356-7F01-000000008902}6482100C:\Windows\system32\csrss.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000197754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5A49-6356-0405-000000008902}57163324C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+aa82|C:\Program Files\Mozilla Firefox\firefox.exe+648e|C:\Program Files\Mozilla Firefox\xul.dll+7bd31e|C:\Program Files\Mozilla Firefox\xul.dll+9e90d4|C:\Program Files\Mozilla Firefox\xul.dll+9e7125|C:\Program Files\Mozilla Firefox\xul.dll+9ef13e|C:\Program Files\Mozilla Firefox\xul.dll+846b13|C:\Program Files\Mozilla Firefox\xul.dll+17cdaa7|C:\Program Files\Mozilla Firefox\xul.dll+17cc7f5|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+84a377|C:\Program Files\Mozilla Firefox\nss3.dll+711dc|C:\Program Files\Mozilla Firefox\nss3.dll+89b11|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000197753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.986{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe106.0.1FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5716.287.1620697227\426880217" -childID 284 -isForBrowser -prefsHandle 11676 -prefMapHandle 8104 -prefsLen 34438 -prefMapSize 231165 -jsInitHandle 1016 -jsInitLen 246704 -a11yResourceId 64 -parentBuildID 20221019185550 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05553074-8806-44d8-9009-ae56a3e5affc} 5716 "\\.\pipe\gecko-crash-server-pipe.5716" 3040 1dd9f563558 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442LowMD5=2C1C9646FE1E0E4523667FB6F258C59F,SHA256=BB0679AB0C71EF86E2A353C0B3B9258C42C104B3C9A3AD23647934B795D09ABD,IMPHASH=5358568F6EDC0DB44595BE82D0734963{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000197752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.977{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000197726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:11:37.977{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.287.162069722C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000197725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.258{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E716954A97F38B2084EB24191BDE9D59,SHA256=26E194916015A2E6DFD4D03228ED7F613F119DDD14C0977D565DD2560BF1FCA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:34.345{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl58289-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 23542300x8000000000000000102079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:37.003{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AAA98FDF2196F578620D0724BAAEDEC,SHA256=0F08F8730598F1E6E92B155AA08E5AB419BD1D47CACD6EDCA996B7D4C7FE7EB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.058{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000197781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.961{E8723972-5A49-6356-0405-000000008902}5716api.twitter.com0type: 5 tpop-api.twitter.com;104.244.42.2;104.244.42.130;104.244.42.194;104.244.42.66;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000197780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.019{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55768-false10.0.1.12-8000- 354300x8000000000000000197779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.984{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55767-false104.244.42.66-443https 354300x8000000000000000197778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.956{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local57045- 354300x8000000000000000197777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.955{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60020- 354300x8000000000000000197776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.855{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local54237- 354300x8000000000000000197775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.854{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local61399- 354300x8000000000000000197774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:36.854{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local61399-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domain 23542300x8000000000000000197773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.711{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C94C43C97DF0EB437A8982CF276661,SHA256=60366C4E518CCC2F64291A68E870D0B0609440B274CBD17F292707CC1BA2F4EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.517{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.517{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.516{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.516{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.516{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000197767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.516{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 13241300x8000000000000000197766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:38.430{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\E8A68842-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_E8A68842-0000-0000-0000-100000000000.XML 13241300x8000000000000000197765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:38.426{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Config SourceDWORD (0x00000001) 13241300x8000000000000000197764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-SetValue2022-10-24 15:11:38.426{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\16F939A6-F11C-43C5-B462-BE8A86302C43\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_16F939A6-F11C-43C5-B462-BE8A86302C43.XML 10341000x8000000000000000197763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.412{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.412{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:38.855{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CF781CF5619C8ED51FC941F1B6780C9,SHA256=878AC58225342C5797425B4629EADB78215108B80C9E9850A8622A94AE9842F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:38.087{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380B1A6DB0051E6F37FF08829472F11D,SHA256=0BF13F0FD2D4979920EDE138774270093E649361CB83BE9CBC93E9D5A838DA3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.993{E8723972-5A49-6356-0405-000000008902}57164236C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+26ae0|C:\Program Files\Mozilla Firefox\xul.dll+e7a927|C:\Program Files\Mozilla Firefox\xul.dll+e744c9|C:\Program Files\Mozilla Firefox\xul.dll+e64954|C:\Program Files\Mozilla Firefox\xul.dll+e735b2|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a6e914|C:\Program Files\Mozilla Firefox\xul.dll+1a6dc33|C:\Program Files\Mozilla Firefox\xul.dll+17ce8db|C:\Program Files\Mozilla Firefox\xul.dll+1a962ad|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+1f49e|C:\Program Files\Mozilla Firefox\xul.dll+17ea08|C:\Program Files\Mozilla Firefox\xul.dll+17d8a7|C:\Program Files\Mozilla Firefox\xul.dll+45c1bc1|C:\Program Files\Mozilla Firefox\xul.dll+4629fea|C:\Program Files\Mozilla Firefox\xul.dll+462ae0d|C:\Program Files\Mozilla Firefox\xul.dll+1fd6d13|C:\Program Files\Mozilla Firefox\firefox.exe+1f2dd|C:\Program Files\Mozilla Firefox\firefox.exe+2d318|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:37.993{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+9ee269|C:\Program Files\Mozilla Firefox\xul.dll+f5584|C:\Program Files\Mozilla Firefox\xul.dll+1a8c96f|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000197806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.324{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local65535- 354300x8000000000000000197805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.323{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local63649-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x8000000000000000197804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.323{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local57456- 354300x8000000000000000197803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.305{E8723972-5646-6356-0D00-000000008902}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55769-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 354300x8000000000000000197802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.305{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local55769-truefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local135epmap 23542300x8000000000000000197801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.606{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D25CE29BCCE262901287814883A56A,SHA256=902947F6E6C642B6C1A9079FF28927CCE8001DBDA6BBEA31D52C47C1288D077E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.524{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=507F32FC1AA983807405C044996CD71B,SHA256=680C54204AD11E8333D3F255F6578E92C763D7E06E143BE282431A39C5C22B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:39.183{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E9A04BFF27FE9E057DC5A601775F5C,SHA256=E87F23E95CED3E779E58BC29E866CDECF50678D2C395068A10AB23B3EA012285,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.421{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.421{E8723972-5646-6356-1000-000000008902}4201572C:\Windows\system32\svchost.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6ce4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.370{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.370{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.272{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.270{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.268{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.167{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67D4068F9B26C99FE27F616254EEE73F,SHA256=7CB1C465BCD28BEE09E0B350B717CFEDEE2977863D17E2BC1F35327155941E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.139{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-352MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 18141800x8000000000000000197790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:11:39.074{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-283C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000197789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:11:39.074{E8723972-5A49-6356-0405-000000008902}5716\LOCAL\cubeb-pipe-5716-283C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000197788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.042{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000197787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:11:39.042{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.15463700844149872494C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000197786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 15:11:39.042{E8723972-5A49-6356-0405-000000008902}5716\gecko.5716.2520.15463700844149872494C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000197785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.042{E8723972-5A49-6356-0405-000000008902}57162520C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+1a8e6d4|C:\Program Files\Mozilla Firefox\xul.dll+1a8c797|C:\Program Files\Mozilla Firefox\xul.dll+12a75|C:\Program Files\Mozilla Firefox\xul.dll+9d72ff|C:\Program Files\Mozilla Firefox\xul.dll+125a7|C:\Program Files\Mozilla Firefox\xul.dll+9d3fd1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000197784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:11:39.042{E8723972-5A49-6356-0405-000000008902}5716\chrome.5716.287.162069722C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000197783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.042{E8723972-5A49-6356-0405-000000008902}57165536C:\Program Files\Mozilla Firefox\firefox.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\Mozilla Firefox\xul.dll+113deb|C:\Program Files\Mozilla Firefox\xul.dll+12f85dc|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+209b8|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000197782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-ConnectPipe2022-10-24 15:11:39.041{E8723972-5A49-6356-0405-000000008902}5716\gecko-crash-server-pipe.5716C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000197815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:40.657{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7496FAE9469142C1077AEEC731B60C7C,SHA256=5E705300BA6CC01127E894117EB79E398E445C62791FC2BF08E093041DAFB1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:40.687{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-342MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:37.843{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53827-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:40.259{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03AD24B6C42E8CFAB990B7BF15C12E4,SHA256=C0484E0AB5AD05858BA63485A1A24AECF08D225C6C5199FD1D64BD57BA949A40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.156{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55770-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.156{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55770-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.325{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:80:f850:1e67:82e6:ffff-50807-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000197811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:38.325{E8723972-5646-6356-1400-000000008902}1052C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:75c1:3a3a:67d4:9dd2win-dc-ctus-attack-range-702.attackrange.local50807-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000197810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:40.138{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-353MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:40.106{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:40.106{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000197807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:40.106{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:41.754{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA004F47A88A8D00E1AE39C30E1DB1DF,SHA256=B3FBE859083EEEC3B3B20FD44AB8521ACB771916462B2EA0D7F13453740D36FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:41.700{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-343MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:41.349{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE072FF1C6ED6BF14D11795A12D53A2C,SHA256=F81065201046A6B316C979B390C6C79F155AFF77CFC27A771BCCBF5DA460CC5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.998{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55771-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:39.998{E8723972-5654-6356-2900-000000008902}2660C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55771-false10.0.1.14win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000197819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:42.771{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE4CFB884F09F646DB8C095275B6960,SHA256=944EA182C343D2EE8E58E0B44D2B5B2E05414413346D945DE598BCD5FC893133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:42.437{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94219C17F53DFED64F65B2E9ED74C107,SHA256=F6B085DC5AB3D9A527DF81E67401B8996392F90F7A36547048D9922EC00EC89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:43.892{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F715AD7AFF2AA8684B6E786D2189F0F4,SHA256=B6094533664A2225C6A0B58F144FD6C2362245C956CD81E5124D50AD01ED0F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.600{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.598{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.593{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.590{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.590{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.586{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.584{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.580{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.578{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.575{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.572{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.565{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.564{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.547{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.532{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 23542300x8000000000000000102104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.514{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17C3C3912BBB54576B0BA3346652D42,SHA256=2A53D84789D41AB4AC3B5E4DF4B52064884330B49B27C0459322134E8243EE67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.501{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.498{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.490{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.464{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.457{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.446{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.433{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.419{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.414{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.405{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.395{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.381{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.367{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.364{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 23542300x8000000000000000102120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:44.588{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB672E2EC6DB054412B561515DF02CDC,SHA256=D23AEAE0DCF9F4B02DE1EA54E11AFD874B2936CC0FC8ECF1A9FD1C756C5CA81F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:42.946{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55772-false10.0.1.12-8000- 23542300x8000000000000000102121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:45.674{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E23F18896AE724D96ACE01B1BFD21C,SHA256=AB13F8125A98D7A1B77750DE413BA6418832C08574ED7FE652E1A86612C58CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:45.007{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA03B218352171E48B26503ABD80A56,SHA256=89484114D46A437BE7BFC0F65C922B8D0FE3F45406A313BF867B1E16D49DCDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:46.750{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C95836A8BAF3A678A394740DB912535,SHA256=98FB5D1FE3BDDF3CB2C39B1DCFDA8F9CDC4CBD03A5A62675FED393E62383349C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.788{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.786{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.785{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.782{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.415{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.402{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.397{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.391{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.388{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.386{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.384{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.377{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.359{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.352{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.335{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.329{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.322{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.312{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.296{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.283{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.276{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.267{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.260{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.222{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.220{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.023{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4201C8F64941DBD2DCF52ACF3E04AF,SHA256=2FE8C51974541E164B18DAC84B571A42F5C35FF9E70A1FBF7D941588DFA3703D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:43.811{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53828-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:47.826{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB8F8B3D027F5AF0E6533244DB1F92F,SHA256=CB30A87F0BEC823E703F54782A73DD12977F76B6ACAD9C73D9FE6B757A95E86F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:46.254{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55773-false10.0.1.12-8089- 23542300x8000000000000000197849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:47.076{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D9FD79914A647F0C191CD2E58884B5,SHA256=553760C10B0278E8392EED92B411417CCF109E95511E35B3FC387C6F772CCCE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:48.927{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9013290B73883D9AE40FC2A2D85D63,SHA256=001909EA88C67A2F5766743A9CEF2D03299D9B39BBE411EAB910AA9A7F096025,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:48.819{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:48.817{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:48.809{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:48.192{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C7982F4100DC627022A63BCFED6FFA,SHA256=ABCCEC5899D686034852F7EF4127D39B2ABD015FDEA525730B2ECCC0A8EC0A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:48.329{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=49218321408AA540323171C6F600A3E1,SHA256=5C023A04CA8A1992F9F311E29D1883A0B43FEA8F8ABA6418CFB60B32BACD8181,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:48.147{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55774-false10.0.1.12-8000- 10341000x8000000000000000197903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.567{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.564{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.561{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.557{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A87B-6356-FC0F-000000008902}6228C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.555{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.547{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.544{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.541{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.536{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.533{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.532{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.530{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.528{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.525{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.507{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.506{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.506{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.504{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.503{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.502{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.500{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.496{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.493{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.483{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.481{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.472{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.470{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.447{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.442{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.430{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.429{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.429{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.414{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.405{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.365{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.358{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.348{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.343{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.342{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.339{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.336{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.333{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.332{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.329{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.328{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 10341000x8000000000000000197858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.326{E8723972-5912-6356-D001-000000008902}56045680C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80190) 23542300x8000000000000000197857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.274{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABC1C0A7803DFAF964FBF794C5369F7,SHA256=C14AA46AE22DA0D8B25E7D1556AE0B9B54C9BDBC49BD10A4149F42B3172F8372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.076{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=1075D87F9B0984C6DF8748AC4A1AA899,SHA256=C4D992E68232830A479A9F5D83E2368E2C5F06CEB5F875F6FE866D6C629BB1D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:49.075{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:50.540{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFB3354A933F08E57BF988FC5D0AB20,SHA256=3797D5E74F7A344E669C4E79C56C3A4A18A89EF987DE4022FB5E7A3D3F020135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:50.014{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285558601FF88422F6CA4EE25A3BB388,SHA256=5E24359D26F4D1502236657B6A7451D091B06B879C2F3BA7629890A0529BAE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:51.572{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D96C263CC52DC7272FC0CE95D4EC6B01,SHA256=0748D3679736A103EB68328C83CF573650E084963D2C693B3AD2345C4850EC5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:51.090{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807F21576E028CAB42C7F7ED6BAFA222,SHA256=8C7B63D155277655F99B2D1F4DFF3F64845915AC33D3BB8EEA38CDD99564BA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:52.724{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D8184425DFC52F5E7EE146E47CB43B,SHA256=362AD14B972FA83C175B1F3DA9828EE895509D54B90276DFD85A72B72342BD21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:52.158{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AC866B43CC7BF8BF52EB107A8894AA,SHA256=77893933B1546C82FEDF3F20D733CA4F909E1423FA07CE0C310C95AF1C4A1BBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:48.878{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53829-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000197908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:53.840{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9867AAD047C9CA19E37FDC345DEA870,SHA256=0C809D24E3ACD49B02B737846EFAE3DDA76A62045A3C022AB81B1505CE492B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:53.268{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D335B42AF7A73DCD7EA836B9A0931B0B,SHA256=CB5F6709C264D02BA4B5817F8BBABAF0B222F00D1181E1DF4A41692918988124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:54.973{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DA93153C06EE6821BCE570A0FA3296,SHA256=AD60D7999261DFA83ABEC3ACC60E97EDE2D11BC2016145F15761DDF29793C011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:54.354{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858928C0839775CC6BB21C087481FCDE,SHA256=42B9BA53124573CFB06D4A0F22BFD966AF2D28BD0554CC498E31ADD1BDCF58AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:55.993{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CBCD2525602F3A73773B07FC3CE1E7B,SHA256=505B59CCE3893C08070E1A4984E1F79E6BAB30E6BD47DF456AF661C67F30AC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:55.436{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87BF6F06F1E3AB4E15FB09846F477EE,SHA256=C337FB68A5D1EC478889CD9C16F78A763FE45D4308EA127665F47C7BEDF7EE97,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:54.049{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55775-false10.0.1.12-8000- 23542300x8000000000000000102134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:56.513{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12495E9B69FA6911EA13C196C94A6838,SHA256=8F72F8DC9A0E71FA48FA225C5455E77255D76E74AC7970E63C23EF3A5F861D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB3D-6356-8E0A-000000008A02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AB3D-6356-8E0A-000000008A02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.864{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB3D-6356-8E0A-000000008A02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.865{3A30D728-AB3D-6356-8E0A-000000008A02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:57.599{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC15CBCB0EF0F2AB7D81265F44619DBC,SHA256=1C937F05531A34DD60512429DF35F58BF819D82F28B8DE6C65600C8BE91663AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:57.075{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17B20A4D0A74DD5BF95B06D885BE7983,SHA256=E19B491B2F8B5583936B4CD92E1F885C97656DE0E129390A6C381C5B35B07D2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.924{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5B46BF4A8F7FFF531FC415C9A7483EC,SHA256=F512408A7288FD1C97F2BE6EA94A6532A88AE102FBC6C56D8622FDCDBB4B16F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.736{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F0C3D4DD0ABCD03F05D62BD39A9BF3,SHA256=08C19968D53889AF2C28B9A09B3BC28AF651D961FD0A59F478E86669B59A13A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.658{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0D79AF73513D10FA35896A4DFBEBCB80,SHA256=53960002A3D5FA3B0BFC80BFBBD895F3B7F57EBB4088C3EFE583F5F2F46780CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:58.211{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78AD20E7C620F2FC301A07F747D07CF,SHA256=EF7C7950A6E2478F4C9690AA8C74A6E3DA8AEE117392F9B53245CC8F25464173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB3E-6356-8F0A-000000008A02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AB3E-6356-8F0A-000000008A02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.533{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB3E-6356-8F0A-000000008A02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.534{3A30D728-AB3E-6356-8F0A-000000008A02}636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.502{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8F6419534C00264FC61907A7973554F8,SHA256=72FA66314A6FF0ABDFEBD2976A06BA155BE919DDA17234BADE226B3EEC1F8872,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:54.887{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53830-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000102159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:58.130{3A30D728-AB3D-6356-8E0A-000000008A02}29442024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000102158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01425d06) 13241300x8000000000000000102156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b2-0x93bdf849) 13241300x8000000000000000102155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0xf5826049) 13241300x8000000000000000102154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c3-0x5746c849) 13241300x8000000000000000102153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000102152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x01425d06) 13241300x8000000000000000102151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8e7b2-0x93bdf849) 13241300x8000000000000000102150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8e7ba-0xf5826049) 13241300x8000000000000000102149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-SetValue2022-10-24 15:11:58.005{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8e7c3-0x5746c849) 23542300x8000000000000000102191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.760{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CCA1BA1A6C11883F7DAFE5977E847E,SHA256=1A6899586274E42ECDE0917B0590282C644E3B59F9822C3B6F25ED1EACD38C2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:58.004{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55776-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000197917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:58.004{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55776-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000197916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:59.642{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7DF9CBD044613A9FB6F3A72382D2E48F,SHA256=CFBFE1D5DC1A37B5BE3865C5448EC252786D922B965E85615E17E0B219FF9C2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:59.342{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73DE81060AABACE70920B4A15BD3EA4,SHA256=6A92BEB22D072476365E5B918808E86F09E2BBBCA723DC5A9794530C67D32853,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB3F-6356-900A-000000008A02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB3F-6356-900A-000000008A02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.033{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB3F-6356-900A-000000008A02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.034{3A30D728-AB3F-6356-900A-000000008A02}344C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:59.211{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A30C37A9773C276CAFAB6E2F951690E7,SHA256=4A649D3B66C58B7E30EB1607993555BD3E596D84663A1A8D0D2B66AD9666EBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.835{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD93335DF9BB3E5A686884CF6F3B28F5,SHA256=543C327DF27F7FCB326D7EC63A4EF095F5087DD2497D11B0413A3C18694C44D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:00.475{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AC2EC8CBC792DBA22E6A4B24B58D4D1,SHA256=A40DFE992D4C78D390F19308E29FB98437973E8C43DA69A4524B793C59A4878D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.300{3A30D728-AB40-6356-910A-000000008A02}35643252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB40-6356-910A-000000008A02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB40-6356-910A-000000008A02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.073{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB40-6356-910A-000000008A02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.074{3A30D728-AB40-6356-910A-000000008A02}3564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000102194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.010{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.010{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:00.010{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.927{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F213E0F2BBBDE8895FF6449BD32AB8,SHA256=51F96DBE036501C7C26D37F930BD40185638465FD14B43BBFA9018772252C145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB41-6356-930A-000000008A02}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB41-6356-930A-000000008A02}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB41-6356-930A-000000008A02}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.912{3A30D728-AB41-6356-930A-000000008A02}4068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000197921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:11:59.934{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55777-false10.0.1.12-8000- 23542300x8000000000000000197920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:01.595{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A59ADAD88526015B18D9E76E858B95,SHA256=F653491D141DF5D89D7EDD4B4CF3E4103D71CB4682154E265FCC117FF3647079,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.445{3A30D728-AB41-6356-920A-000000008A02}36002596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB41-6356-920A-000000008A02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB41-6356-920A-000000008A02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB41-6356-920A-000000008A02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:01.242{3A30D728-AB41-6356-920A-000000008A02}3600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000197922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:02.727{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B6A838D2FB56A56E11C9526E7472A0,SHA256=47BA34A26B483B75C5D7F5FCF4763CCFBFD060389BC3E873FF97B4AB57909C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:02.882{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6E7F534F8E4650CE0C89A2A2454C10CB,SHA256=5605125B1C7FFDC244E7702C0B638F8797B9196AFEB9288D3186F1611695F9CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:02.083{3A30D728-AB41-6356-930A-000000008A02}4068428C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:03.842{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422BAD059B58CB9E2CC9CD02C0BFCC52,SHA256=00F187DE463ED4DE245144DD0FC71D9E89BD1CF76B36F2A0562A4CE810365AF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.698{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.695{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.691{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.685{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.683{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.679{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.676{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.674{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.672{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.668{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.666{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.658{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.656{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.639{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.607{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.582{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.580{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.563{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.514{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.494{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.483{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.463{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.437{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.428{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.422{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.417{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.409{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.390{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 10341000x8000000000000000102242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.387{3A30D728-58BB-6356-1E00-000000008A02}14362932C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001FB78CD0) 354300x8000000000000000102241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:11:59.911{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53831-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:03.022{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D4C3ED37C8CF4B171B2A60EE454086,SHA256=E3036BC458E73B73C287AB820BC9CE71755FF1C3999CD8D9DB935744C1073331,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:03.642{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+9d860|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000197924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:03.642{E8723972-5904-6356-9601-000000008902}52565636C:\Windows\Explorer.EXE{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+9d341|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF8004D46B638)|UNKNOWN(FFFFA4475EE77E08)|UNKNOWN(FFFFA4475EE77F87)|UNKNOWN(FFFFA4475EE72611)|UNKNOWN(FFFFA4475EE73FDA)|UNKNOWN(FFFFA4475EE72296)|UNKNOWN(FFFFF8004D180703)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+a10cb|C:\Windows\System32\SHELL32.dll+59c8a|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000197923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:03.642{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF14c10ba.TMPMD5=B6AF075EEF849C96E5B077C7686AD18F,SHA256=6238E31FF8D53F83D88B98475C1ADF7A06FFF50096493BBE9E30B6DA56F87D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:04.975{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DA158CFF797774904EB1656598B7A4,SHA256=03A6386C85434A4DED94CB56BCA1B65D848A38F5D719069CC57864F1DBFF8F92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:04.544{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC20AEDF4CB1E1896BA37860685BE67,SHA256=1F8756279C0FD12B594C65092E9EB47514C16FCDD61131B0670CFBBFD9D6978D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.902{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.575{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AA0117E70C55FC14BD2C50306A1FDC6,SHA256=C61797861CE69FCECA4DC8CDF37F434738314C58A57FF226AEB01897566404B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB45-6356-940A-000000008A02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AB45-6356-940A-000000008A02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.113{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB45-6356-940A-000000008A02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.114{3A30D728-AB45-6356-940A-000000008A02}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:06.646{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6EA837CCB8FE82F2ECB0C59CF2AB73,SHA256=1C3F0ACBE57A8791F36019AA1DFA9BB4D4BC0A4E5D4C3EDBCAAEC462326729DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.775{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.773{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.772{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.767{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.408{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.396{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.392{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.386{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.384{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.382{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.381{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.357{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.352{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.342{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.337{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.331{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.324{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.316{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.306{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.301{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.293{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.284{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.228{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.224{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000197928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:06.111{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAE8BAF4A47FFAAF736C297CDB7777E,SHA256=DC110F289D729AF7499A32B9861FCF6571917C9D258FFB1C95D8148EC4CE4A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:06.380{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA5BEC506A604FD8C947E0DD9C9AF59,SHA256=A213FB5687DA3FDD8B1AAF95836C86C5A0667F85ED57E391CD9A79A0D1D15FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:07.643{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFC7A73F8E4E6105A07FD94BE3A157D,SHA256=7E280E361674BFCF6929E426D35F0F4E4ACC38D3D9506325D756072C90F84D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:07.727{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E96970E41F36E3B0A29D8CB54AC3D72,SHA256=52FBAA7D7ADD64E4A318245B2D587D4BA65F33E351F3B2818A1A347925FF9D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000197955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:05.051{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55778-false10.0.1.12-8000- 23542300x8000000000000000197954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:07.043{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\cache\caches.sqlite-walMD5=E9060D723120EBD50EBEC787DF22F304,SHA256=B7AAC966E238756E8B904E88C4A7461560DCC16D3606F7AAE7A007EAE44E1D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000197953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:07.043{E8723972-5A49-6356-0405-000000008902}5716ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qlpm6uue.default-release\storage\default\https+++twitter.com\cache\caches.sqlite-shmMD5=C666986540EF0139B2493A7D7038D424,SHA256=8B7FE63DEB327535362944F0C13A15E3230B91AB07861BE5203F0BFC33D736A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:08.795{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644A7B720F6DCE404371A16E4CF7D02D,SHA256=91B2CFF449E26B340759DE132BAFA3B7FBFD2D38242786668345DAC990088D8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000197960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:08.849{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:08.848{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:08.843{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000197957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:08.751{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23A78A5DB8D59C49F0C119A54159244,SHA256=A68461366643747BA9C29A648659529011E867F38C0CA9C9E919ACFA52177261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.829{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD866BE95CD0922D303CD1409B18890,SHA256=3FA8395BDC09AFF674DCAD0F1828930774E9AEAC124FC668742E39BB9AA2935F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:09.878{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F6588FCF1667D18C17D4D528EF05EFB,SHA256=F6677EF2B9734B6EC86F0E1DE5EE192F5AC153EF2162DA8F49D941C088EACEB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:05.817{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53832-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000198006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.572{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000198005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.569{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000198004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.567{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000198003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.566{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000198002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.559{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000198001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.556{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000198000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.554{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.550{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.548{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.547{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.546{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.543{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.540{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.525{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.523{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.523{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.522{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.521{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.520{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.518{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.514{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.511{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.509{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.506{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.497{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.495{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.475{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.470{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.459{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.458{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.458{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.441{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.433{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.400{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.394{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.382{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.378{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.373{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.372{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.370{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.367{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.367{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.363{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.362{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.360{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 10341000x8000000000000000197961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:09.074{E8723972-5646-6356-0D00-000000008902}9126552C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:10.956{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C296323C59EC247D02DD14F55AD9445,SHA256=742C120C5FF11C7A2AAA1ED4E83A8B4576D7197A2BA9EAA513C3DB94162DF292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:10.931{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF2811777052CC561AB2B9146287C40,SHA256=36449B751F85FD8CBFE074A6BBA593FA2A31182A375923F671D3D1B19B19D043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:11.956{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=109F7A51A955A31626A875F7945B42DF,SHA256=E3BDC199918AB2743CDB85A8EDE29E5464D445337B07625184D23CA623D3F5B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:10.990{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55779-false10.0.1.12-8000- 23542300x8000000000000000198010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:12.978{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F739CBF751E18B59711B5EE60B3D40,SHA256=59AC9937BEC5A9467D84C5C8870CD15AF69E50970320C6CAF2410B09153BDD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:12.041{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F77809575864CFB7E147E2A9442B83,SHA256=52DA8B22DB861D42F0267A816B36A7FFA38589B9CFA36246C0AB80CD251AC242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:10.889{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53833-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:13.127{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AE97949430A9A9A610D6E4907A29B5,SHA256=A1EEF709550A4049B71DA142CAFA7ACB3DA193EC33174BEF2DB59803911BB48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:14.213{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70660C49FADA065730D7B88C497AF778,SHA256=F815B2C71F237B4E71C3D3FE67F7153F8F4E7FBF2B8664F860F16107BDE1E899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:14.060{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB08FE1E8BEA285881F82509EE40D5F6,SHA256=1330968F8C487FBE2B22DC2EC330DBFDD14E12A9C6239D50F840AFD5C072F898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:15.308{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295414E12DD116DC285DD7C48B6D797D,SHA256=49D641EAC2CBF0A76E66EB97C8CD5BBEA5EAD5508AC518453DBCADD2DB90C90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:15.098{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6495E573615103C376166B8D2C45B0,SHA256=9FA814ACBD109D11117602CA24AFB3D663C3D95D6594CBEBBAEC0C8004E47C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:16.391{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9316462B422A12141FBCB453A0E93E44,SHA256=FB823FD95D1D7AC1F8C64766E27245312CAC945BB2B714D4FA84FE0E19E7472E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:16.244{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4713704D8517CFA1CB0843CF7F37020F,SHA256=38B3A277FF9ED80E536C271FAE53646A5912C1855968D2EC893F71670F0B9AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:17.475{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B74223D8AE5A3328C912AE1A01AEB5,SHA256=3A098B8C9C16322F985E419BC42EE6DC647935088640E9DDBED8E05E1A43810D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:17.360{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667AA7476C308B4A4D4CD1072CA17AB0,SHA256=6CFDA06503A03E598E16A5F47379AC92F52ED2C839340E1A462220417AC0DE8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:18.552{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8DD54C660C51EBE675867E24CAB6A78,SHA256=3B3889B47D6C83BC28BB723E469C3E4A9566AF5B3A0334970EC8A0B104755296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:18.478{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F74B974613AED44806E3AF073AE70E8,SHA256=827169D45FF5202EF6293112C0AA90B220ACE869C57A9D4BBEFB83D20ED5817D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:18.178{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:16.152{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55780-false10.0.1.12-8000- 354300x8000000000000000102304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:16.729{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53834-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:19.635{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24385DDDFC4634454F0AC2C500364B52,SHA256=66F45040053D2941C4918FF12F6EEBAF362A5E40D2FD4FF29D65829F0EAA7E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:19.560{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749EA7F7F4B48202ED3111548630DD52,SHA256=4064904FD76AE10FBE24A5F6E828FD7207560A7D96BF2A4CFD682D4036FFA6FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:20.578{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8AF112BE163F1C642D64B10BE9B8EB,SHA256=5BC635892146C6DA594A81EA085C1E39D35C3DAAC7E901641C00DA7A30D5DA82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:16.854{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53835-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000102305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:20.710{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008861B32F647E37006BBAD8FC9F4323,SHA256=43FBF96541F80C0CDBFB42D117416829255870CD60C59FE8049A8D055414E3E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:21.770{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219FBAFCDAAD09BACC344EFF1EE813E1,SHA256=17ABB4B803FAC77361266EC371FD7655321DEDF1A44F2DA54FFCB86649F15915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:21.680{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=093C49FC9D6B333880FD81B006654CC4,SHA256=3FF17EC7B606E774E81931718539621A4BFAEE56C3AF13292DF6D6AF1AF9E484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:22.949{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86477C39E75EF71202F327CECAD3368F,SHA256=90E247122134CC330501A0A3C32D2782B98DF91A68607AD39DE3723721B39AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:22.831{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF7B51F9D25531786A287B880DED866,SHA256=6AE5E643EFC63E4DA0C562585548E9E21AB35FFDA3657C94C7E09A4EB849BAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:23.946{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA85CC89836B9F3E412856121141EECE,SHA256=3A6A0FDB4F5D684BEF8C9BE8FB9BEF0B2C44E5A8992CB9A78B2205CF137F4AA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.631{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.627{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.624{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.619{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.618{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.611{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.611{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.607{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.605{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.598{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.597{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.587{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.584{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.567{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.554{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.531{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.525{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.504{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.474{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.463{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.452{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.439{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.428{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.419{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.406{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.394{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.384{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.374{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000102309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:23.372{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x8000000000000000198024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:24.979{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D58A7EFCB42E3C942F6541B03DCF39,SHA256=FA83C055A3DF6C9FFDF407959B6FD454665397ECF02C1542F2DBFC8EE6EB4884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:24.438{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40451548950A4A25CBAE648F0493562E,SHA256=A8995D68AF3EEDB2EA57CD9B214676BDEF480E3A3EE6A143AC768DCB2B3E0801,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:22.092{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55781-false10.0.1.12-8000- 23542300x8000000000000000102340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:25.542{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10C970F2CA77F4899C8EA21ED0B0708,SHA256=D053DE6AD9FAC8BD3FEC2378A897CD7F57678FB94B627492FB1280358E8A08C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.947{E8723972-AB59-6356-5E10-000000008902}824410228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.715{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB59-6356-5E10-000000008902}8244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.700{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.700{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AB59-6356-5E10-000000008902}8244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.700{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB59-6356-5E10-000000008902}8244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:25.701{E8723972-AB59-6356-5E10-000000008902}8244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:21.876{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53836-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:26.618{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502E11DEB856D1879BD5777BC92EF5D5,SHA256=3B751223326BFBF96A1E99AC569351DA8EB017F164D8DCB3C02CB61758D2E238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.785{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15B70816E5E3B00F74C6DA97EB90813C,SHA256=BB8A1B83C8749F28B248B3F26EFEA8168CD619832AB82DE8F5BB3F5C7BBFD896,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.779{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.777{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.775{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.772{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.400{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.387{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.382{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.378{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB5A-6356-5F10-000000008902}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.376{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.376{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.376{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.376{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.376{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AB5A-6356-5F10-000000008902}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.375{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB5A-6356-5F10-000000008902}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.374{E8723972-AB5A-6356-5F10-000000008902}8672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000198051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.375{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.372{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.370{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.368{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.345{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.339{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.327{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.320{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.310{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.303{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.294{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.281{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.275{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.266{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.259{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.221{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.218{E8723972-5912-6356-D001-000000008902}56045140C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012880190) 23542300x8000000000000000198034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:26.047{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC81FF9F13E46C4D8F260185B765727,SHA256=0E6EA70B590B7A9BCBBBF8E5D0BDCF6141A82E4A7AFC26779121C2CB505E17AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:27.704{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CF1DA00AFBC8EBDEC333A917CABE2E,SHA256=D7F3CD005FC2BF8A694B6954495F86E3BDCB4AA6A3B4E996C72CBED8959DE008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.381{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB072D8F8AD5DD26563752CE33284,SHA256=E38B8D57B6A45982C9F35BA5DE650F365A11276FB284B307006AF66AE27A763B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB5B-6356-6010-000000008902}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AB5B-6356-6010-000000008902}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.048{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB5B-6356-6010-000000008902}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:27.049{E8723972-AB5B-6356-6010-000000008902}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:28.795{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F302FA32D738959CC789CB5994D8D91,SHA256=87CD9CD68F0D74F1E9B22B17B6CA3006904F3578B03A53D6DB7251EA015CEF44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.812{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.811{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.805{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.732{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.732{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.732{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.710{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000198078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.304{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B92ACC425F4B9FA63B28BC6FDC238447,SHA256=FECAD03FFBA7D6EA014451D1DB7BA5472659A920229C339B7ED1C41CC320BA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.102{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272C00AC739B139BE2F907D416825A09,SHA256=AFF20E04D8F8B2BFB9CDF9552D496C3708389915E37CC91301C74E52AFB6C5DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:29.874{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EF38004DF2A660123ABA00C894CD51,SHA256=3F42243CF761BBC5C9A8D7B6BBC32E1A568AB5024D73EC75012D6F8FAB9C4801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.852{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1D3A032F3F5DB35B37E2AE3D88834A40,SHA256=A936A6BE86FE8C562B065378B2FF561099D72D42560ADDF60EA860FE40AE8128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.589{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.586{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.583{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.581{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.574{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.571{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.568{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.564{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.561{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.560{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.559{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.557{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.554{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.534{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.533{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.533{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.532{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.530{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.529{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.527{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.523{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.520{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.517{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.514{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.506{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.504{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.472{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.465{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.448{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.447{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.446{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.424{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.416{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.370{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.359{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.344{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.339{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.338{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.335{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.332{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.329{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.328{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.325{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.324{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 10341000x8000000000000000198087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.321{E8723972-5912-6356-D001-000000008902}56046608C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001BA40190) 23542300x8000000000000000198086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:29.284{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDA03561BB4D17E7E3E5E4BD226A8C9D,SHA256=4A1939093FF315B76DA758A0C65E540C3794DA0131CD881E1B0D0CFD754FCF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:30.937{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06CFE5725E17DA5F999964A2AE046BEF,SHA256=07A2F64EFAD3C3D2AC3D9589CFAAA400DE56638C4C543406864CD3D4C2040192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.707{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C8ACF783A81960123FE3EF898A7DDB,SHA256=BC78E96AB0E7D32597D0C39F179251714AA968CAF7C7DE65FE8C6C3FFA20B25E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.588{E8723972-AB5E-6356-6110-000000008902}95648920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB5E-6356-6110-000000008902}9564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AB5E-6356-6110-000000008902}9564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.406{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB5E-6356-6110-000000008902}9564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:30.407{E8723972-AB5E-6356-6110-000000008902}9564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000102345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:27.721{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53837-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000198133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:28.108{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55782-false10.0.1.12-8000- 10341000x8000000000000000198162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.924{E8723972-AB5F-6356-6310-000000008902}94929624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB5F-6356-6310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-5644-6356-0500-000000008902}416432C:\Windows\system32\csrss.exe{E8723972-AB5F-6356-6310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.754{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB5F-6356-6310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.755{E8723972-AB5F-6356-6310-000000008902}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000198153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.422{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3964FAAAD5627BBFA80CC2DE63FBBE,SHA256=350442837B303B27C994B925B6DEFB0756120368DBC52A30F6AB1E02A98E9E6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.268{E8723972-AB5F-6356-6210-000000008902}626810128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.089{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB5F-6356-6210-000000008902}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.087{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.087{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.087{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.087{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.087{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-AB5F-6356-6210-000000008902}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.086{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB5F-6356-6210-000000008902}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:31.085{E8723972-AB5F-6356-6210-000000008902}6268C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000198172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.790{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=972446480DC8A5D29A07EBDF144C557D,SHA256=466757946A53E5AF46C8EAD67876FF4D85E68EFE6067EAA7E91CE1AE62C8EB31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.472{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=277174E673A410CC0A1BEA9C62A33559,SHA256=EB045725B9E2C945D382751CABAE9AB7436D85854BBE56E4532CEE29163901BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-AB60-6356-6410-000000008902}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-5645-6356-0C00-000000008902}8569380C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000198165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-AB60-6356-6410-000000008902}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000198164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.440{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-AB60-6356-6410-000000008902}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000198163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:32.441{E8723972-AB60-6356-6410-000000008902}5388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:32.083{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=91BEDD164BA2621DA1375498E4B0D443,SHA256=916D756DD88FA854AD6F6B7D9833F13800788FE77714A7AA3E838E6C6C4CEECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:32.021{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D8BB3518C13C0BF3EDFDBCECC500B3,SHA256=69FC22B699ECE3E572826023C84E4B860A86E12F5B542807560DF16B3E63A433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:33.457{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39F6B6E81D48AAE68A1A1C4A19DE0B1F,SHA256=92CC00E890312EB489A1CC6BD7C3E2B6B41802152C0D2D9D4F861702B7007AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:33.100{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E3441E8888CAC907910BDB44D79F5A,SHA256=993B897AECB5C9590A4172E46EA0BBC49EFE311A0D5B2FC9DD3BB763BDB68FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:34.512{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2832956001FB861D9ECB5CEE99D7A58,SHA256=E688AB42ED94B9A127ADC57568E325A070BFC26B2C49867648B38F8952977F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:34.171{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0330AF6C0BCC6DF9F6C641B09A6C4580,SHA256=CD839143396FE0F7DB03DF3EF6EDCD1CFC20C2CDB116756662FA9B4711968B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:35.560{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE27F4C91C964F5BDEAD9B816C539DA,SHA256=16520074A5AC47FF46CDF6C298E73CB92247415C9971A2AA3546CB25CC363C8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:35.209{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899978FB6621C734C323087641FD6FBF,SHA256=E4EB93766C7ADF6F009539484937C07DAB04E77CFDD318B7555D7CCB516CE306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:33.116{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55783-false10.0.1.12-8000- 23542300x8000000000000000198177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:36.631{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9384AF3F7C83F0BC7FAC370210CB1B3,SHA256=5FFA21DE12FC1EF6E8B3D4037357D5582203C747F939A275851616C4497CB569,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:33.893{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse178.183.89.153178.183.89.153.dsl.dynamic.t-mobile.pl58824-false10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal3389ms-wbt-server 354300x8000000000000000102353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:32.831{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53838-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:36.270{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6F72F5B573FEDB1F8D2E8E07517F7B,SHA256=96A12DE115AA294E798F6D4359B954CE8DE8C80B9DEBB18D1DB20A971EF4C4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:37.665{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26766764DB2669D9DF5945538A27591,SHA256=AF49977187C517F99AB8C5C953669B33754BF25EA30014090DBA5EB15334B2E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:37.346{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23AB6AB86F1F2A117AA8FF8F1F2736B5,SHA256=76AE08D6FCED7D6AA468986F77D4EDCC198ED11E01F0965489A9A5E9329BF46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:38.751{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113719B000C24F539670908ADD84A68D,SHA256=F62EF314943151E60B5808EAD37A0123914A46B82662AE05FEE1D86807A743F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:38.656{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CB5F0C109C10C1B20288B390FF347AA,SHA256=62C6C121BD6E81844E1979F3DA2D6BEE195907A4CBC8823799511AEE41F19696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:38.437{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA84472A3384EF75E23764C2E194ED0C,SHA256=F102E62DCA0CE518303742349FDADDA525980CFED7C6FD0BB7EF323E8E05BBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:39.820{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C034199330F3A97B8FED7E92BAB1E3C,SHA256=6151CD095717C80BC51D5D329189B57354A8232E8C3B0EBA80D172301313884A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:39.535{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88E011A9F008C691D9A4A81355B1B0C,SHA256=079B706E414784B1C2CB35939E7608F728E2DBD3FE21F918B9442D124E785250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:40.869{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F590C24D4C6B86B4DDC5CA519316C4,SHA256=89340731F1403F31C875430BA98E3C6E9C36B2DB4EDECA7B931C5E55AA25178F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:37.902{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53839-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:40.609{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5215A21767C358E255ECA69CCE913E3,SHA256=89B1367DCBFF3B962D2A17EAC135292272139499F6F5D6519C547E6C04353E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:40.671{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\respondent-20221024090942-353MD5=FB1204BD5E1FCB9F00F3D30191CDD410,SHA256=AD3DE377B45C073DC7811942D8C17D2EDF88FCE93F4C4FD49345F5808DA79585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:41.925{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4D3134E39632E6DCF36F69A5E5E920,SHA256=D2419005DC26B63B29EA5D78025BF23B7D03F971B4BE3465DEAE66CFF6F64179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:41.703{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7FA12CB7AB0FE2CD53D6B79060CA36,SHA256=647E7087647315E5AE4EB31D1019F45F3DD663C1657BFE9A6DFE1BF4B1D21937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:41.671{E8723972-5654-6356-2600-000000008902}2524NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0e84630e20b37f40b\channels\health\surveyor-20221024090940-354MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:38.973{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55784-false10.0.1.12-8000- 23542300x8000000000000000102363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:42.795{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9570B7ED768ED027B58BE91715A4160,SHA256=9E6D4F0F41B8BD4BC4710602740B7A600999634239D6138254685D9C4A765E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:42.215{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\respondent-20221024091957-343MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:43.005{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C4D659DCAB5BA6349718436815752D,SHA256=09C29938C1DE012CD4B8539F977EA79462518866B47E996B7FFED8C16C83FA72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.586{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.583{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.580{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.576{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.575{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.571{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.571{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.568{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.565{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.559{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.556{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.549{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.545{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.537{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.527{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.508{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.506{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.499{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.466{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.454{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.444{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.433{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.425{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.417{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.406{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.398{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.386{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.375{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 10341000x8000000000000000102365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.372{3A30D728-58BB-6356-1E00-000000008A02}14362984C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012439150) 23542300x8000000000000000102364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.218{3A30D728-58BB-6356-1D00-000000008A02}2044NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0573e2c781567a822\channels\health\surveyor-20221024091955-344MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:44.445{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83305A043EEAC898910DBA183DC05D,SHA256=C99222A6864D19C5AAF3668E59345CAB8E7175AB0B101DB2FB781F17A28147F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:44.074{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AD3F54BCFBCC0F4C4682616BA721A06,SHA256=E4819237A85AEA1368788C484D1F72EEA8AA5B1482C9DCFAA0FBBAC08C099D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:45.475{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DB23630EFF6CD1C35DC481336C621C,SHA256=FF0CA14C9402029C71D4DCA0D828D2594F894A373126A98E194941F62DD5E48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:45.130{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F96EB3CF27143E870BAAB978600A6DC,SHA256=BBFE84E1C3310BF33B52CD781E5D2422DA94CCEA0170F0AB256E73B308E3DEA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:43.761{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53840-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:46.555{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767CF8FFCFF71B87BE42253E4C19EC3E,SHA256=BD69FBE4F782A275120CEA1CD976F920B7B5128ECE52A5AD5C7E48B6F5D30C7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.852{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.849{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.847{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.844{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.424{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.409{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.395{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.389{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.385{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000198206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.385{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.384{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.379{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.352{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.346{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.335{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.330{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.323{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.316{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 354300x8000000000000000198197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:44.083{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55785-false10.0.1.12-8000- 10341000x8000000000000000198196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.308{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.297{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.290{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.280{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.272{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.225{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.223{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000198189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.194{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22841CC9E68151B30250D82C08404261,SHA256=3B1B5761B7485989EBDA0D65D26C7DD9092FBA8A63098E209456F92C22E3E7EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:47.634{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA3408A558C2C1C8D91C80D8B1E20FA,SHA256=F10F136A45459E3E26CFEF91409709406DE016AE59D3C129D1A3DE5E90B12C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:47.319{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C58B1A5FF95FACFDC5A3655FE1D201,SHA256=A30BAC62F80256E68DB578316A574769FEA2881C3C170ADE467AF48686EB681B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:48.722{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AE49203A7C1264149A16672DE0D924F,SHA256=83864D50DBA4E14483590F4FD8DA9E94B25BC3BFC2420A8C9A930B13EF92CEF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:48.889{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:48.887{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:48.882{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000198218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:48.391{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD63D66663FBEF886E8AAD8BD2E5A61,SHA256=90D3AFA5D57F9B7570D94C160A1A70391AD4FF5CFAF9645D400186AD145E9CB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:46.272{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55786-false10.0.1.12-8089- 23542300x8000000000000000102399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:48.284{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15C1D1AE61C732365486EC1F9962D3ED,SHA256=A7C88BFDDA35C62C4F4FB9CCD398409B5A022DF439C2B0687F05DDE7E75E864C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:49.799{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4798B3E33A070735068D1ECB0FD4DBFE,SHA256=6706F81143D6F9A4946FB3720A4F1BC521CA91F236A2F379EB7E44DEB221287D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.636{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.633{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.631{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.630{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.621{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.617{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.615{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.611{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.608{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.606{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.605{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.602{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.599{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.578{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.577{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.577{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.575{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.574{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.573{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.570{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.566{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.563{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.560{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.558{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.550{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.548{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.522{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.517{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.507{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.504{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.504{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.484{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.473{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000198234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.453{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A827A4CD642129FBAC133CF19F9535,SHA256=8E337DCB91F4B5511F4E415341D72EA2C9C1039366A88623AB1D6FBA4291AE54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.441{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.434{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.424{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.416{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.414{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.411{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.409{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.406{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.405{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.401{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.400{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 10341000x8000000000000000198222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.398{E8723972-5912-6356-D001-000000008902}56045304C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80610) 23542300x8000000000000000102402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:50.886{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DBE06E0CCDA4CA4AD31CB0911F249B,SHA256=1D2002CC9E57CF8E4A7558C9994758C51CE5EDE9E33F2691361B10B25D365DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:50.599{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357DB791C2391F5F0C7AE5858512C53E,SHA256=DFADDD8BEAB4CACB46B5F5E8153678EA7CBFB1567127F63ADECE77F94DD28F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:51.687{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFFC77E9B7B123803080E3232FA4C46,SHA256=A0A18D23C757645AA7E94552BD58A9370335B78B38C2A8E2191D7EF8A51C3E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:51.977{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=211066CA9CA0CA030B7EA1FF9D854022,SHA256=FC4AF0F5E7035E1AC9A8EB4E4E4D715780EC701C66BE78032157FDA445CAC90E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:48.803{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53841-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000198269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:49.129{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55787-false10.0.1.12-8000- 23542300x8000000000000000198271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:52.842{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F68503D4992ACBF8C22CE626C52EDE0,SHA256=0F1CA28D5CF445A8D2F8037CDD9B6DE6AF29FEDB2EFABBCE835FC759C106A74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:53.905{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A390615898D0D4CEB479107AD255B748,SHA256=726F67F8FCE86AA824290D1946D5CACC93E4D43A129E430A35DF58214FCEAA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:53.053{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDDA2989F38AA63AF88F6F0C837DF457,SHA256=68B0BB22FB8BFEB4B0BA6DEDC944D451FDAF6ADFEF932D3E0DDF024BDD60A800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:54.977{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8D250B0B748EC1F6A5C0572117BB10,SHA256=549CF43B361335C2F221A85CAA1BA10132B7C376CDFEB3D589B91B92EB31E32E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:54.135{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F375CA75DBF61ABCB9C8FBA982F1D9D,SHA256=ED42640A386B29203E40A0C01E315580081C1E64A09915C0E62A2C655D39F3D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:55.216{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F241FC2B401173AC61B032D77682E2C,SHA256=0C6507914329F2444F35D542D287EE589ACC62141BBCE0830AF352476B48FDA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:53.902{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53842-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:56.305{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C733078F4659BDA53A0B57BEBC7140,SHA256=DEC5A513C9527A0B2EB18DF017A0C6132E68831AD703D159F87F43943769AD0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:56.079{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9EDCEB78BA965FB917430301286E2E,SHA256=B769150F6F829713525E8DEA02116869B69AAE6C220962ADA398D1BB1212BB4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.768{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB79-6356-950A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.766{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.764{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.764{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB79-6356-950A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.764{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB79-6356-950A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.763{3A30D728-AB79-6356-950A-000000008A02}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:57.387{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AB594581FAF132C60D54B06F94FD97,SHA256=5691A0D64863480439DB177542B9674FE2DEC9D5D0B7D35F36755802E575E3D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:55.020{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55788-false10.0.1.12-8000- 23542300x8000000000000000198275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:57.182{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5F4624CB4AAD48B897CCCA5C6C3CC53,SHA256=E8DB10425EF2F270FD02C5D3C3BE0FBC4D1108EDD5D5ECE3CE014F2632623859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.956{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E626AEF2BF8104255F42DE3DE1F637F1,SHA256=61792AE17127A67B1115853B8FE67FAC42B31BC45BDA62CCFB08C3301026D75F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.856{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB24C8D307082A5052E4033B1E58145,SHA256=EABFE050B6DE9031AF6EA6CD0E6900791E3DB38CABC9B5D63061E2B1DD02B0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.660{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=06F0F488D1026D84941E4E876734765F,SHA256=8CE062ABD5656A10C1E89D2454ED5FA150F6985A0D010BF25E33C62FBEE18792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.488{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA809CDD9CBC21C6D949DAC704A9966C,SHA256=A88DB2172D01413DA54CA5FE8378F264B0E7272BBD58E37232AD120986445FAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB7A-6356-960A-000000008A02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-AB7A-6356-960A-000000008A02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.441{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB7A-6356-960A-000000008A02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.442{3A30D728-AB7A-6356-960A-000000008A02}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000198277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:58.232{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92F678D0C4C3AF29171E8C0FC80F69C,SHA256=2803A046C276B2DC4D8D503909065F9DFDA5D5B8E9F3666F03663C62D4A42589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.603{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D35649045577259D1A0917CBE791122,SHA256=EDF3A828DFEF6E72DA864CA041273E2083877446D1CAA0DE2F35B22AF5877719,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:58.006{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55789-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000198280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:58.006{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local55789-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000198279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:59.269{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B08DB14A7A9D99EEA902A39D3728A0D,SHA256=EEFBE34AD0617D38E8F31AE5A9FCAE8A37E48D04D2B4C375B27DBA26E2C387EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.167{3A30D728-AB7B-6356-970A-000000008A02}10121708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.011{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB7B-6356-970A-000000008A02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB7B-6356-970A-000000008A02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.005{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB7B-6356-970A-000000008A02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:59.006{3A30D728-AB7B-6356-970A-000000008A02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000198278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:12:59.169{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5E6877B466AD1FB950B90C24AF5B8FC,SHA256=AE7A9E2D67A1A8BEC0455DBDDDE1309CF700653CA5CC50E55F6B5D562ACB467F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.669{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE123E94CFD898CEBA94338BBDF5F889,SHA256=7584633E0942522387D400CEA03DAA9E3D5C7F5F00912CEACF513B06A410EE77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:00.356{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A907AD29337B3146EF40381D8388B31,SHA256=3C1CE63848981368B90577F0795D9437ACDB8A938740706DA7BCAEADAA64C325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.341{3A30D728-AB7C-6356-980A-000000008A02}748912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB7C-6356-980A-000000008A02}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB7C-6356-980A-000000008A02}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB7C-6356-980A-000000008A02}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:00.084{3A30D728-AB7C-6356-980A-000000008A02}748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000198282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:00.003{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=16F5FA08E79B66792FFDB6E14F5787BD,SHA256=2321F0952CDEB77BAB4319DDC7C8133A2C1BA02DF5B485E9033326289749CE1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.968{3A30D728-AB7D-6356-9A0A-000000008A02}35323868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB7D-6356-9A0A-000000008A02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-58B9-6356-0500-000000008A02}4081032C:\Windows\system32\csrss.exe{3A30D728-AB7D-6356-9A0A-000000008A02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.772{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB7D-6356-9A0A-000000008A02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.774{3A30D728-AB7D-6356-9A0A-000000008A02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.741{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C491C7FA7A82FCB0F231065A43D6D650,SHA256=84AAD6CB937B026FABA9C702556156B8C51D2ED42A2EF6E4E87F0F6DFA507A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:01.491{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDA4E95FC1BF82B0CDD132BC2E89F72,SHA256=24D0F776A805584E102A5105ED7C448C032556204986A52DD30ACB89C23872A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.428{3A30D728-AB7D-6356-990A-000000008A02}15243748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB7D-6356-990A-000000008A02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB7D-6356-990A-000000008A02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.256{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB7D-6356-990A-000000008A02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:01.257{3A30D728-AB7D-6356-990A-000000008A02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000102502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:02.821{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF23DEF799B0E476F3FB8D5EF413EA4,SHA256=8F39A0766C99454A83D04BE7E721B096C201281BC2E4227B774F9BD167E245DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:02.540{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=223296B14B8FBB44382B3279F2F70030,SHA256=352EEFFDD3A27F8153C3C2369B094FDF7724CFC46ACFECD4018573B72E6A0E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:02.227{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D7579B32C5913C55379E98E65B420D9A,SHA256=995AE18B388C48AA92FC9F2D0205556784CD23339A947C68CE8673FC63213F90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:12:58.923{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53843-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000198287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:01.052{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55790-false10.0.1.12-8000- 23542300x8000000000000000198286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:03.579{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57322C31530DD692DDE4400D79AC7432,SHA256=0252614E59FC9D005CF670BCA5578F5FADA5FC2EEFAED3DDAEA41441EB89407E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.595{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.593{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.589{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.586{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.585{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.580{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.576{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.565{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.563{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.559{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.555{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.548{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.541{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.531{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.518{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.516{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.506{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.485{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.477{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.470{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.463{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.455{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.445{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.434{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.425{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.416{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.396{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:03.393{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x8000000000000000198288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:04.629{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F853CB4ED17ABC6E24902033602982A,SHA256=3E33A03EA07B0F3622C262EAB8DADFAC348D5D73B21596B6A88D9373CD0EB5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:04.068{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398883BC40E1057CBED7CCF38361D669,SHA256=64BA50BEE88A5F05D63C1E8098E35EAF79146667EA0C8C219B293D143D412976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:05.671{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC2D447809374809A212BF783343BF15,SHA256=CF71D7D26F181447A3D188717D8735C3F6B628227D95DCF55984C80A06102FE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.917{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.917{3A30D728-58B9-6356-0B00-000000008A02}6243116C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.902{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000102546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.186{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5905A7AF26ABCC5ACC26E2F5FC6DD314,SHA256=4081C2F1FB0E3B44F44F9B02661CA79A266E31387A3A688E60D57E9AB30EDFF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.125{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-AB81-6356-9B0A-000000008A02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.119{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.119{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.119{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.119{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.119{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.119{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.118{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.118{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.118{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000102535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.118{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-AB81-6356-9B0A-000000008A02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000102534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.117{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-AB81-6356-9B0A-000000008A02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000102533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:05.115{3A30D728-AB81-6356-9B0A-000000008A02}732C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000198314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.917{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.914{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.913{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.909{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000198310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.715{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23699F2F5AA45EA3316DD97EF6B2163D,SHA256=AB2924DD3C1A6C2D9D15F3ACB636292BB21AC77C516D6579136CEB07C4B43AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:06.253{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=979F6BF78410752DC98AEFFF0910A342,SHA256=97C7E83522A5E2837044BD223A2FB4713FC525FC8C55D57DA597B265EE39F8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:06.238{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66496654E887405084ACAE1D0368EAF,SHA256=2F555798AB593E2D6859B823CC9E229FC00617C908FDBBC28A04748D498B6A33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.433{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.415{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.409{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.402{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.399{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.397{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.394{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.366{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.360{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.344{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.336{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.329{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.319{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.308{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.295{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.286{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.272{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.263{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.217{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:06.215{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000198316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:07.754{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310EF76E785C0CC9A2D98A03E20C0742,SHA256=9B2A313E9A8B32659442F101C5174AA00E981D7DD09F2FC240A139FC0C775F19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:04.719{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53844-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:07.331{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B11677F6811F8BCB1925EF2FE7ACC6,SHA256=EB9790EFAA06F43A81FDCE219E8E5A36E75CA3C875E44EBB3C1D3C029487D776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:07.572{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23EE1ADD543DD291425A5DE87DCDDD21,SHA256=F3EF63B0BCA1B6481E385114DA1E6A3B603003E4B0AC2A0AE74716EDECE66BD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:08.929{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:08.926{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:08.920{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000198318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:08.804{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A033B8D8527CD7F815B1805F822CFE2,SHA256=766926B8F4381CE4C7761F8A9A1FA95BBD449C9CAA7D212D12554F9CBCD3BDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:08.415{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93B40EB9421E3B2ECE83D9ABD6552D63,SHA256=1917F23457F47E06FADB40D061F38A3D32A7DDFAE4820DF504F463F097B20277,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:07.064{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55791-false10.0.1.12-8000- 23542300x8000000000000000198367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.979{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607BDC4FDE32CFD829349698FE507F2A,SHA256=799DD16BD5F15600091E6078D9B384087C6BCD008BFAC953F6A04CB3D0B6BD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:09.494{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7628FDD7BC68E8D8728C176F8FA05E,SHA256=11580D62A6048D3B3FDBFF6E12526CADFB1F4053014C7B2A1DE99E0377563AAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000198366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.656{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-AB29-6356-5D10-000000008902}6952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.653{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A9FD-6356-3410-000000008902}8568C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.651{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A8D1-6356-0F10-000000008902}7808C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.649{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.641{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.638{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.636{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.633{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.630{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.629{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.628{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.626{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.623{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.605{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.604{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.604{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.602{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.602{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.600{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.598{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.594{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.591{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.589{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.586{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.577{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.575{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.552{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.548{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.536{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.535{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.535{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.519{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.510{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.478{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.471{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.461{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.457{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.455{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.452{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.449{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.447{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.446{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.442{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.440{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 10341000x8000000000000000198322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:09.438{E8723972-5912-6356-D001-000000008902}56045836C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D183D0) 23542300x8000000000000000102557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:10.585{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F3767D6BF6D15ADDAB17005B369C72,SHA256=66040418F3238CF6D489CF771A2F1165AF3178F416DF8616AC3579DAD5788FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:11.659{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD115CAE551C495D19BD265E2BF0CEE,SHA256=476959209F414565986687D5A440FBFD0CCCC4BC3ED3CC090FD7B73EA59BA613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:11.025{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF3055BA8BC3184ADB6598BF5E580F5,SHA256=F411304FA8F6632E5AC9BCED9345D2ED9F7026FBD96971D25545EDECB223F993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:12.734{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49EF4125D331304F22ECED2A8134619C,SHA256=A1D4519BFE572C8659DE6E94B4119C4199D2293B6205B770B4969A9C9AED294F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:12.081{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E1836660ADFCF0CC025A724F1D8CD7,SHA256=BE6EF46D2E6EC9559922495A76B13EC150919419CA854D142CE420E8C89D15D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:13.825{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2575ACF760B00DD3DB67ED9154750F1D,SHA256=DFA1B45B645F9E7D8E640706AFA23A66F5A23CB7FE3296B0368310E48AE6B66E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:12.152{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55792-false10.0.1.12-8000- 23542300x8000000000000000198370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:13.130{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267CB47C7F5E43EACEA3D235DFD0B3BF,SHA256=74191F67ACE6AC27F66375131074CC2499817FB6307DD9C8896C72D90FC58CF5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:09.883{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53845-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000102562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:14.911{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1CEE70F23132B539652F1A0417D3E26,SHA256=D5A0659A591B729F0EE8DF3A864DC411DC2BA8999846F25A4642E574B5509A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:14.186{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E10D85B50DDCEEFE34F95C7F96B7749,SHA256=D5F2BF840D37D3CD50CA4827BB3B76FEB95209FC534C3E24AC1CFDF4E3086E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:15.996{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E096DC4F0A4B332354A78AED1B2C6804,SHA256=86D71BD2BBF34DAE707652F48858FCF8E79A6BEAAD8FE840D111FA982C8C0FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:15.235{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81645F1B818B8813A175B3A51673BAB7,SHA256=3C7B9D8141C34570EF3ED21AF5A1BA31EB69B58B1415D068E8CF3C398824A724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:16.291{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A35ECAAF2FC0F96B3962571F8FE68A,SHA256=B91BE3176E120FB63A6023478E296AC599B742885750DA3F959EC9108F3049D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:17.324{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BEEC76E6CA3305A4E4CFEA33BD313E,SHA256=E36982A7C9B0C88368645AB630C61ADC2ADC436752538FE47A4E7BB585FC1354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:17.082{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920C1A7BDFCA3FC2EA75AAD27EE5FDA7,SHA256=1DFF03CEBFB4033A6771D392BBAFD1085A813B87639A035166CF83FDD8F9E17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:18.375{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF440427BAF4C30455364CADB2906CEE,SHA256=529E84B84CAE626D4020EFBCC488E7EF9D18C448E65DDD48BD56445CDA260D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:18.213{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:18.172{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A512EE40B1191D522CC0DC539F6509,SHA256=FF02FD8226E287A89D914D0EB24424546CAE84F3736DDEDAE77A810795FD9798,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000198378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:18.088{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local55793-false10.0.1.12-8000- 23542300x8000000000000000198377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:19.428{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D82D1C25EEE21E2246F375CEF22FFE7,SHA256=FBBDDE360EC4E2ECB283F43EE02272E182495B1EE6A1A36DDA03CE15FEEDFBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:19.251{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5433508908FBF0A317C5F5DDCAC9C4C,SHA256=886C991BE29570C8649F48D07C54DBB50E66FC3D707241C51284783ED9288E02,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:15.883{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53846-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000198379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:20.461{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE695879A716EA83B6A5E08438D5167A,SHA256=BCDE2391435324B27BCACAB658F12B4D9B920F7012C10A6850D8EC2533AB4497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:20.334{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AAFA6D6018984CD466C061732EDBB5,SHA256=BE5DF258CD56663431E179CFF13D222153204E4D65CEA627E92784FAEC7CBB0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000102569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:16.882{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53847-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000198380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:21.603{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1ACE514E6737858FD736A4C17344C5E,SHA256=ABAEDD07D7D17F7EB53A8D9958435ED5A0FBC45BB93D4F3D0BFF063A01E07DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:21.404{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E65F313186A398B40DFAC08B5B29E4,SHA256=64B69F96D54CD840D1BFC7790DBA18F6ADB6433478003E7D910A2356ABDF6920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:22.652{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64DEEBF382BFF19DEEB0ECEC775E6C1,SHA256=D1B5E1DF76693FC6F2879D83BBCCCD5FC2FF3E0984944D9F461AD489BDDD050A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000102572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:22.493{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D272B16B191C544A25DFC069858F485,SHA256=B5140AA4B5D0E1F2A840AFC7ABC0A9E5F3E51A0DC38C095CA217FBE599894A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000198382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:23.735{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E145C29C2207925FC034BCC7939FCE36,SHA256=0622A636362D924A9A0F69571F7ED118CC255F5004C8DB067F1DC5A2F8DC1549,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.612{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.608{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.604{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.599{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.597{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.588{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.581{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.576{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.574{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.567{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x8000000000000000102592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.563{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80DD35814967631B76D6CE174FB4399,SHA256=E0AF88997AF0A58441B14BE8B66C2F8991E87452E22C9A1E65EE261076EE907D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000102591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.557{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.552{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.549{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.532{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.520{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.494{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.491{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.482{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.450{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.442{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.436{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.426{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.411{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.405{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.395{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.385{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.376{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.366{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 10341000x8000000000000000102573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 15:13:23.364{3A30D728-58BB-6356-1E00-000000008A02}14362980C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012A803D0) 23542300x8000000000000000198383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 15:13:24.724{E8723972-598A-6356-3A03-000000008902}2764ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\2764.xml~RF14d4d80.TMPMD5=38B3B629FA51245D94DE48EE973F2315,SHA256=7AEA9C989BB3CC8B7D4D000946600CD0CFDDD79E3F856C98B216BF82DA28A766,IMPHASH=00000000000000000000000000000000falsetrue