23542300x800000000000000098537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:25.730{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB18B942C9E4638BB7A586809359AE,SHA256=1273BCC5AF5CEF9F45ED3CEBA375CAFB4C9A17EE132F5E568929F7069A17B42A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.741{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.741{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.725{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.724{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.715{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.714{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.713{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.712{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.711{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.710{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.702{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.701{E8723972-5644-6356-0B00-000000008902}632672C:\Windows\system32\lsass.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.698{E8723972-5644-6356-0A00-000000008902}6241516C:\Windows\system32\services.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.674{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.673{E8723972-5644-6356-0A00-000000008902}6242840C:\Windows\system32\services.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.671{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\system32\msiexec.exe /VC:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{E8723972-5644-6356-0A00-000000008902}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000191067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+11c8e|C:\Windows\system32\lsasrv.dll+1f318|C:\Windows\system32\lsasrv.dll+1e541|C:\Windows\system32\lsasrv.dll+1cd4e|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.670{E8723972-5645-6356-0C00-000000008902}8564620C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.669{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.652{E8723972-5646-6356-1400-000000008902}10528252C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.548{E8723972-5646-6356-1600-000000008902}13003348C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b910|C:\Windows\system32\wbem\wbemcore.dll+255ef|C:\Windows\system32\wbem\wbemcore.dll+24a8a|C:\Windows\system32\wbem\wbemcore.dll+2484e|C:\Windows\system32\wbem\wbemcore.dll+2684b|C:\Windows\system32\wbem\wbemcore.dll+22b68|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.540{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.529{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.529{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+6e0b3|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:26.823{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AD9A8469E3BF06F030A7E353B34ECFA,SHA256=968A9DBBEAF658354C1B9055C68AC3EF9B7D2D88D0BD68BA2EFD1C1AE2E52114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.990{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968B63CF33FDA4802CA505BB4FEDA2D9,SHA256=9EB70E4A3EE27C9A146CAD9311A95F6A5A273842A6CF9F452DDF989FB79268A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.861{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=57443036CEF4EDB6658B7A7394173F6D,SHA256=9BD2516E168AE20D631F6228A5CEBBC322AC921796005F2C28FE90E7463C7150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.778{E8723972-A812-6356-EB0F-000000008902}75008412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.703{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.702{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.701{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.698{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.694{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.693{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.605{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.603{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.602{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.601{E8723972-A812-6356-EB0F-000000008902}7500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.567{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C0678BE996B7A9B3533B0038760AF9E,SHA256=0EE88A0A1C07D53D6F2DF5469F85571D96292D817ADCBCD41CD0A29FEC69F72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.528{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98EB7DFE085D7EE844245C80EA568BD1,SHA256=C5CC878D62FE37CEE384BC2E929130409F3E01FBFC550C39369BEE7DA251FA8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:24.109{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60464-false10.0.1.12-8000- 10341000x8000000000000000191146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.385{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.376{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.339{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.323{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.313{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.306{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.299{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.290{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.277{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.271{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.235{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.232{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.066{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A0E712A2AFEB31844BDE5522742748,SHA256=4933031F222FC4BDC6A77EEE2085921C82E722CD491529F28C20D060C6DC2B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.062{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3DEACFACC4DB00F48E3E94641E2713,SHA256=FECAFE8CAA23976BDD6CB65E2A9CEEBC43D07E57A210AF9693E1E42D8106BAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.062{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B275923CA142C8AD5B5D7FF28E2F92CB,SHA256=E43101C7A90FFB029251CD46F5CFC5FCBC2FE7781809D895468867F64BB5C92E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:26.001{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:25.997{E8723972-A811-6356-EA0F-000000008902}10024C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:22.884{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:27.915{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAFC3D0C9BBEACA1E28B661254CD032,SHA256=7992C8B9A24D33F640FAC350502FD70A4E2BF7D3BB4269219E861DCFB46428D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.133{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.131{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.130{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.129{E8723972-A813-6356-EC0F-000000008902}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:27.084{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06AC3F03FBD9CE34210611E606602FCD,SHA256=C44ABF67DE07C52182E29582099D2D64163F94F37793B0885F82991DBF1E51A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.716{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5912-6356-D001-000000008902}5604C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.716{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.715{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.710{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.198{E8723972-5646-6356-1100-000000008902}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=93250550F41C4588469AFF587B3C9ADD,SHA256=DD87F5B95FE8333BD27B2867792F14F1B4BCC88FA4B093546C68198EA219B129,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:28.110{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5041A6665C53A5166FA1F74B51454,SHA256=C2537869AD0D547D63791A89C5E1B0D7BBF7E6F15E41726333685C13EF0058EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.854{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=645BF94CB62137007011DC1288562433,SHA256=CA2A4BD84C8AC03A2807D31DA56515577EA46180A84549F69D21EBF7DC6D623D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.419{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.415{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.413{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.408{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.406{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.403{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.401{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.398{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.395{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.394{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.393{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.392{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.388{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.375{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.374{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.373{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.371{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.369{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.357{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.350{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.348{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.322{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.319{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.308{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.307{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.307{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.295{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.287{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.258{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.251{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.243{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.238{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.237{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.234{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.231{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.229{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.228{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.224{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.223{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.223{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EA4D640D120182F97AFF81FB08F426,SHA256=F66B1F7D06F86B1791D0B9F35AB382211C4323D701E2F760E77D2B1C6C2065EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.221{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x800000000000000098541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:29.005{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BFACDF8DEB54C62C180C71A4638DE4,SHA256=1670B35A63A07EFFD14E78FB05D777C4FC22FD354BCEDCF600366ABE54D13A23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.790{E8723972-A816-6356-ED0F-000000008902}74089720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.759{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.759{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.758{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000191242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.724{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943751D69362A2667B35057AD14E30EB,SHA256=659B5C59C09547FDA9A54862D5C23E449CED9883D055931A5BB57930DD61E6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.591{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.587{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:30.588{E8723972-A816-6356-ED0F-000000008902}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:30.082{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA89AAE95E279E0DCC1795FEF226D846,SHA256=35ECC73449180F351DAFB8BD798698AD8E4C6B53DFAA77CC8BE14139ADE63B9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.951{E8723972-A817-6356-EF0F-000000008902}48567488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.781{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8989CCD0C43E22A7A4C8CCFB541CB3D1,SHA256=6195F3D773CDE853734C7BB4083E6870F7C54445D6D172B40BCB25030E5F56EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.750{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.748{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-5644-6356-0500-000000008902}416484C:\Windows\system32\csrss.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.747{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.746{E8723972-A817-6356-EF0F-000000008902}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000098544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:28.744{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:31.163{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA8F3903E5736150B2CE83FFF0E124,SHA256=86C84B1E1C2900EC80208FFF6DF2A9C3750E3DD9C97E6DF168A0964F622F55B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.626{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B27CF57625A5A0CAB40A769A332F8F5,SHA256=48B36E266D385FDA19D68B6628A830169A6CB75ED711B721DF1C72E75FC93989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.578{E8723972-A817-6356-EE0F-000000008902}24088016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:29.925{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60465-false10.0.1.12-8000- 10341000x8000000000000000191257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.253{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.249{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:31.251{E8723972-A817-6356-EE0F-000000008902}2408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.854{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.853{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 23542300x8000000000000000191280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.800{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA0C1F9E9F540E0CB3C58130F0CF2F1,SHA256=996F24DC27C0BA08664713E938F46BBD85613BB3D5378A63A415E91421D96E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:32.600{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F7E562BA3E2E32EB39F07B09CDF709E4,SHA256=DD2B62B2D83133828F8272C5B7A7C79D6D27E7A20687A679D0E655ADE9AA13BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:32.256{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6C361A2738F446D89B876234B87C24,SHA256=D1EF77FFAD4EE1369D6B036BFD8D02FEDF484EB6A401AEAB8093DFF55E70328B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-56B7-6356-A800-000000008902}40682116C:\Windows\system32\conhost.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-5644-6356-0500-000000008902}416532C:\Windows\system32\csrss.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.673{E8723972-56B7-6356-A400-000000008902}19243232C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.672{E8723972-A818-6356-F00F-000000008902}9968C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E8723972-5644-6356-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:32.290{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7B230896722891C9FBE2F0E3AB66303,SHA256=FB2A2107954045E03BD54CB0ED0DFE54E2A39916A057B96F8CE8CFF308E34B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:33.821{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F943A56F9C911B89BDF0D0CD2A3020F7,SHA256=FF9DB818061551F7776E92D547FB81B058FFEF8DAD887F9406A22BAABC0D6CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:33.371{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150321C7E810C388C6B9426536016691,SHA256=57B9333C70F013989CF7ECFE45CC973F9D83F308718E6A4AA5BE320AA8821F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:33.304{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5167F07D6EE9C9EBFA85932CF77C8CE0,SHA256=BF4A2A29C6FE4066D859F9523821B0AA9A594CE949C6173974ED03A7847128B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:34.845{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131C55A2115D2C8A8BF2F942F65D947F,SHA256=47F3B9075EB32F04ED43325B52FE42CE073B33D48C645E107AF051ACFDB45C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:34.460{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E85763F28AEEE220EDD2FBCC8C3FFE,SHA256=0A0BF4785636298DD22E4B97F66BC6D5BEE2903CC932F233B074FD1F4186FEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:35.554{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43B86B99FCE2048A7E00141D484EFC6,SHA256=7A5D48DAC8386B31C1A56FE6684AA8ED3046C8466DF13C562E21AC4E719D67D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.937{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C11F62358D7C0ED575B267A2EFEE3A,SHA256=92DE5BD52F550C978E32762A8D8496BCE78E7DB34E265866BA5EB3250305C786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.922{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-5644-6356-0A00-000000008902}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:36.647{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB548BA18CFF73E9E1110C75604C6D8B,SHA256=CC2E782D05BB51EEAA52A65FF838EF39DFB956C8292786F276EDE0D57AA949B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.949{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A23A73BDC5673A07635EA73A8E8715B,SHA256=9B985A84EBA0A6CA0E63C39B96F11AE7079CB31CC72D00986CB469DB899AA28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.931{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6BB944697B572E574632FBE4DDB55822,SHA256=42EAC640F3718C6416FC14FE086F99ED80554F7AF989881585A87B956E60AE37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.075{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=55898A4C2C7376421E486DA4EC10B198,SHA256=3FAA3DCC84C6E20CA1DB73A4034EC0C6C7A43D8D63BD73C1A9166954F47AF86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:37.733{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671EE2752952116AC24C5F03DD265B17,SHA256=A92F5883586DBB200106272C21F632EE026F6D2F14BD9D0520338DC83FFDD102,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:34.747{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.838{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60467-false72.21.91.29-80http 354300x8000000000000000191297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:35.102{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60466-false10.0.1.12-8000- 23542300x8000000000000000191296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:37.459{E8723972-A811-6356-E80F-000000008902}8072NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\85901D9A10DB11178C1ACC091B3F87900667513CMD5=5752FA13D2040388B50D0A599B755AF9,SHA256=AEE8EB879D7B426CA2495C9989E6A039E0CB9B5FC46BDFFB53CC70B7A467018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:37.459{E8723972-A811-6356-E80F-000000008902}8072NT AUTHORITY\SYSTEMC:\Windows\system32\wbem\wmiprvse.exeC:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\85901D9A10DB11178C1ACC091B3F87900667513CMD5=D6A1DC2E53EB9C8135B71500AF196259,SHA256=0FDF371D1A90626666521A6BD13610AFF369DF52B3863816C156756C78B59A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:38.813{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8D221B53513A8759C32EA9313C5F95,SHA256=CC7091CDCA060A33AEE81A3BA03772C3CB82282192CC4A872810414F4BED3D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:38.702{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=542A49B473E5F032DA3EB6410040DA1F,SHA256=149C2F0C1597CAEA7FCE2AC62FC9F7E1BDF502DB088D2B1EBC88E73F65B5D45E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:36.530{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\System32\wbem\WmiPrvSE.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60468-false72.21.91.29-80http 23542300x8000000000000000191299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:38.025{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7F4DECE8D0DDCAA2733AF33E1149AF,SHA256=D764DDA0C6FFC75DAF4D260CFD9630D379975CEA3C771B1EBDCA9BAA0CC8FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:39.902{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436A05A1F39A70E0D92C28E791983900,SHA256=175A4D0DA8A3BEC39D9C86EDEA70DA5B19D1C50B15C58FD305EBF42B02525C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:39.115{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B37AED88F75F95E30A9713B69124EFB,SHA256=DEF89E2CE279950E8C050B05B95C02637504BBA19CBD83B6F4C25099F0C6D96E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:40.994{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F158087E0D186CA9F5D8E63CA311722,SHA256=8C24EC9123B25C58BED10AA65DB06075F4B1A9489341373D78813DB3E7A8C346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:40.131{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16F980EFA18093300796BE7FC4EE022,SHA256=149E0F120E830147A63E48F338E15CC7E42371CB451944FE8130B25A194501C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.990{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.989{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.989{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.988{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.965{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.941{E8723972-5912-6356-D001-000000008902}56045656C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D80850) 10341000x8000000000000000191340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.777{E8723972-5644-6356-0B00-000000008902}6323216C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+1422b3|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0f5|C:\Windows\System32\windows.storage.dll+14221e|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+142203|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+142203|C:\Windows\System32\windows.storage.dll+141553|C:\Windows\System32\windows.storage.dll+1413d9|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+143eba|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+143ea8|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.648{E8723972-A821-6356-F10F-000000008902}95166640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+143ea8|C:\Windows\System32\windows.storage.dll+1414ac|C:\Windows\System32\windows.storage.dll+141288|C:\Windows\System32\windows.storage.dll+449c5|C:\Windows\System32\windows.storage.dll+4490d|C:\Windows\System32\windows.storage.dll+50d86|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.647{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13fd3da.TMPMD5=8554CEE29C03241DFB5882E9984AA700,SHA256=FB6542D6D734A4D8C127624D80AED6D404A14B78F01E3564E0322ACDDB2A2FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.616{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.585{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.585{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.577{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.577{E8723972-5904-6356-9601-000000008902}52565152C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5902-6356-8E01-000000008902}47161148C:\Windows\system32\taskhostw.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+1a7a4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52567984C:\Windows\Explorer.EXE{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a954f|C:\Windows\System32\SHELL32.dll+aac90|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+7f8c0|C:\Windows\System32\SHELL32.dll+aac4c|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.561{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-5646-6356-1600-000000008902}13001680C:\Windows\system32\svchost.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-5646-6356-1600-000000008902}13001340C:\Windows\system32\svchost.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-A821-6356-F20F-000000008902}82129896C:\Windows\system32\conhost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.516{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-58FF-6356-7F01-000000008902}6482316C:\Windows\system32\csrss.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.500{E8723972-598A-6356-3A03-000000008902}27649004C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\System32\windows.storage.dll+1492df|C:\Windows\System32\windows.storage.dll+148f55|C:\Windows\System32\windows.storage.dll+148a46|C:\Windows\System32\windows.storage.dll+149eb8|C:\Windows\System32\windows.storage.dll+14886e|C:\Windows\System32\windows.storage.dll+14b40d|C:\Windows\System32\windows.storage.dll+14bb4c|C:\Windows\System32\windows.storage.dll+14aeb0|C:\Windows\System32\windows.storage.dll+14d60e|C:\Windows\System32\windows.storage.dll+14d302|C:\Windows\System32\shell32.dll+100749|C:\Windows\System32\shell32.dll+ff2f6|C:\Windows\System32\shell32.dll+f1bc9|C:\Windows\System32\shell32.dll+aefce|C:\Windows\System32\windows.storage.dll+12c92|C:\Windows\System32\windows.storage.dll+12989|C:\Windows\System32\windows.storage.dll+1285f|C:\Windows\System32\shell32.dll+f1c4f|C:\Windows\System32\shell32.dll+aefce|C:\Windows\System32\shell32.dll+fe2d3 154100x8000000000000000191305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.506{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{E8723972-5901-6356-440F-1B0000000000}0x1b0f442HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe" 23542300x8000000000000000191304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.248{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600AAE4A579EF48DD0496CFACA08F750,SHA256=0505CAD316A32D198111ADB547D17CCF2DD196F6A9B6E714322A9990427FDB2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:41.133{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60469-false10.0.1.12-8000- 10341000x8000000000000000191363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.753{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.753{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.637{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB89E0988F4F130DE7C1661DB939E7A6,SHA256=D3158214CDBC3BC6D055F098133D8939F0747CD25466F48CF0AB332B8DAA9E42,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000191360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-CreatePipe2022-10-24 14:58:42.606{E8723972-A821-6356-F10F-000000008902}9516\PSHost.133110971215064802.9516.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000191359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.606{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_zrvkwb5b.ue1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.598{E8723972-A821-6356-F10F-000000008902}9516ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mooqjgva.1ix.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000191357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.482{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mooqjgva.1ix.ps12022-10-24 14:58:42.482 23542300x8000000000000000191356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.478{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFC6DEE79CE1DE41FBE4D6503465A45,SHA256=2E1CD97EACB9CC2D18C701D48027953767525040AE6117BA625978707107A1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.476{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D3895618CA70DDC89E77871E6EFDC0,SHA256=3EE68130648A05AE1682D4CEB2905B5138FBC680A9C05A0602A47FB02A96E963,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.475{E8723972-5644-6356-0B00-000000008902}6328596C:\Windows\system32\lsass.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8124|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:42.470{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:39.937{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:42.078{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B47851AB1967BBE5387D88E4C6CD2E7C,SHA256=0ED3576C06D5A57E92A993CE7F9A98B394139C1ACE6243C2E2D66F495D0A294B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:43.539{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5CD70B3B2D7660742A03D2DA28CE4C,SHA256=1FBDAE442B185D77C434205CC074009494E936DA91A3DEFA6320555F8E0210B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:43.515{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6679556A0B6F46E631405C6C14DA9852,SHA256=748B36D79EB74DA183D1B6EAC39330770F73F997C482B074BFB170ECC2D2CD5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.574{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.568{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.565{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.562{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.561{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.557{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.556{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.553{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.552{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.549{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.547{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.542{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.540{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.526{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.506{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.489{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.486{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.478{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.441{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.432{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.422{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.415{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.408{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.402{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.395{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.386{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.377{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.365{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x800000000000000098559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.361{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 23542300x800000000000000098558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:43.179{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C26C6470D4F7E43E62EB37C8588FB6F,SHA256=AEF9DF262D59F746CDC0310541127373A499B69C28F65D653800BCEAEC7BC356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:44.596{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB931B61DBDD5024E3FF58AC3725415,SHA256=D91B36CA0D306583C28FF0963290178B8FFCBB66423E536446FAEFE8028CD877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:44.693{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B675F3DA9342261C3D8F04FAA7F870D9,SHA256=03C4F755B0E2F68DD11FA4027EB7CF5A267B5C0E846DB95BDD0BCB9084936D80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:45.667{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DBD4D64BA4F93A2E78F9FCA38A62678,SHA256=0AF08EA2DC45F1FBDF43EB57FCC2BA0EA31CE7E9975273DA5B849A29BD49560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:45.781{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF6DE4B36A7338860CCA855FA52C76C,SHA256=4FFE7975A433693548A33D35F5C486DD4DB656F1F334E8A0F7BE4F9EB76AC6D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:46.866{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CBA942CB7B9CDDD542377247D7E5B5,SHA256=12775DFB987AEDD346FE41F2A6889E4E94ECE2F513FBB2A9873308BE7952F3A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.787{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA5EDF558BA8D8AF5A7CE2B0AB1AED2,SHA256=C53A6BDE0CDA583ED60D939877A17E72FC55F1A5615CEFDC468B0E39B44A7F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.734{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2700-000000008902}2636C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.732{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2600-000000008902}2524C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.730{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2300-000000008902}2452C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.727{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2200-000000008902}2444C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.386{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2100-000000008902}2436C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.376{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.372{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1F00-000000008902}2420C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-1E00-000000008902}2332C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.364{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-564F-6356-1C00-000000008902}2180C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.362{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5647-6356-1A00-000000008902}1528C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.360{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1700-000000008902}1404C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.339{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1600-000000008902}1300C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.334{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1500-000000008902}1264C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.321{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1400-000000008902}1052C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.315{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1300-000000008902}988C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.309{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1200-000000008902}620C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.301{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1100-000000008902}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.293{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-1000-000000008902}420C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.284{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0F00-000000008902}100C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.278{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0E00-000000008902}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.270{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5646-6356-0D00-000000008902}912C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.264{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5645-6356-0C00-000000008902}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.230{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0B00-000000008902}632C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.228{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5644-6356-0900-000000008902}572C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.183{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=EBC246A02A66D61160571F486D53D657,SHA256=90F1D35A1D005EB6F477DA3BEF88A2625988F3BE38B8B1D56CB99CF0BD9A80B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:47.751{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009AFDC4CC829C6C863371D3532D4C56,SHA256=3CCFA7A2C62D7BE91588D6DA1FD12D8E2D3499D918BD0BA4B9CA3E6D8E9446DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:47.953{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4477925F233D29DA1DC4353C19EB4F,SHA256=D91147BABF882930015B32B6C86161E85EAD6BC6EFF16CA21863CDDE9167253A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.807{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48FFF7A63E1177F10BC2A3056ABED55,SHA256=DEFB5DE479177F00F9BD51F16CC795826A2B48665CFC7F0A6DF87861506A3BDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.764{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2C00-000000008902}2144C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.755{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2A00-000000008902}2856C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x8000000000000000191397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:46.055{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60470-false10.0.1.12-8089- 10341000x8000000000000000191396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:48.749{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5654-6356-2900-000000008902}2660C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 354300x800000000000000098592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:45.919{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53676-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:47.057{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60471-false10.0.1.12-8000- 23542300x8000000000000000191450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.773{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A2C83FA242EFBFD0B0EC629CD6E291,SHA256=21E46416212CC50E77A3A4D55CDD5CE18AE80AAA3959936269B82A433211AC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:49.044{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6E04F220E9510FFB6E750519BC7CB6,SHA256=483659607582B201A105DB7513B0F41D9524DDEFB05AF0B107A82F221282F82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.570{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2F47BE5543517B8BEF086DE8017296,SHA256=FAA8AC33CEAFCA746EF344FE029EEB604255DCFAB2D89EA7967B8A7FF73CCD06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.495{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F20F-000000008902}8212C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.488{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A821-6356-F10F-000000008902}9516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.487{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E90F-000000008902}9796C:\Windows\system32\msiexec.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.481{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A811-6356-E80F-000000008902}8072C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.479{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FE-6356-E60F-000000008902}10084C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.477{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7FB-6356-E50F-000000008902}6320C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.475{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7F5-6356-E40F-000000008902}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.472{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E9-6356-E30F-000000008902}9672C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.469{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A7E6-6356-E20F-000000008902}9316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.466{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A6D7-6356-B10F-000000008902}7948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.463{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A679-6356-A60F-000000008902}3340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A636-6356-9A0F-000000008902}9432C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.460{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-5A0F-000000008902}10132C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.458{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A4E8-6356-590F-000000008902}10112C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.456{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.453{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6FCB-6356-8408-000000008902}6556C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.439{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6E05-6356-3708-000000008902}8060C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2D08-000000008902}7580C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.438{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-6DE0-6356-2C08-000000008902}4948C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.437{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-64CD-6356-B006-000000008902}1792C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.436{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-60DC-6356-3106-000000008902}3716C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.435{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5DFA-6356-C005-000000008902}2392C:\Python310\pythonw.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.433{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8905-000000008902}8088C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.429{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5C6A-6356-8805-000000008902}6288C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.426{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5B39-6356-5C05-000000008902}1928C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.423{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0E05-000000008902}6372C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.420{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4C-6356-0D05-000000008902}2888C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.412{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0B05-000000008902}2468C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.410{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A4B-6356-0A05-000000008902}4004C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.381{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.378{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-59DF-6356-B003-000000008902}4440C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.367{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E501-000000008902}6868C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.366{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-591C-6356-E401-000000008902}6848C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.353{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5916-6356-D501-000000008902}4740C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.345{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5914-6356-D301-000000008902}6004C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.312{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5904-6356-9601-000000008902}5256C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.306{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8B01-000000008902}5060C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.297{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5902-6356-8801-000000008902}4200C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.292{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5900-6356-8201-000000008902}4372C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.291{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-58FF-6356-8001-000000008902}2484C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.288{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56CE-6356-F300-000000008902}1324C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.285{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56C5-6356-EE00-000000008902}4104C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.283{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.282{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A800-000000008902}4068C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.278{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-56B7-6356-A400-000000008902}1924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.276{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3E00-000000008902}3572C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 10341000x8000000000000000191401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:49.274{E8723972-5912-6356-D001-000000008902}56046612C:\Program Files\Aurora-Agent\aurora-agent.exe{E8723972-5656-6356-3D00-000000008902}3532C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001C018190) 23542300x8000000000000000191452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:50.806{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC8EC143F29715E009EC8B4FE4FFCA8,SHA256=C026069F95F8BF1D93B65966A364F329F3E125FCC64F5E5A9202926A876B30BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:50.242{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536DDF9A828E079C7480B049E0643F1,SHA256=965AB106624F537F954B6EEC6C4F359E8B64036A9D219B9A22D1E0E3B6D7E287,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.877{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B96CC38B2B6018469607C46192D822,SHA256=5590A4D623921FA0F73A1E12519FE4792E434F48B60668BE0E845799B2C8EFC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:51.329{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86A4B0017D3665AA2D0F754374089C05,SHA256=D8D0F04105E9B56837A139AE5684E7CAC53C92B286B9A298DABD1EFEF07D4775,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.324{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:51.323{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:52.423{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4334EB75CE200DCBD814FE40E4642FF4,SHA256=2517F97F2B8E43116FB5336EA2DD4A1D43834D6EB5E1D4C6DAADF1F4D79E8803,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.108{E8723972-5904-6356-9601-000000008902}52566072C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+ab1f7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+12a7bf|C:\Windows\System32\windows.storage.dll+12953f|C:\Windows\System32\windows.storage.dll+19ecff|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+153f9|C:\Windows\System32\SHELL32.dll+a9cf0|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+a97a4|C:\Windows\System32\SHELL32.dll+aac20|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:52.092{E8723972-5904-6356-9601-000000008902}52565976C:\Windows\Explorer.EXE{E8723972-598A-6356-3A03-000000008902}2764C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:53.500{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF677A1D7612AB86ED5E2A66A075A10,SHA256=476745B3923D61AF4C535A9F36689AED28D5E92C128FB5810554A37E209DC2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:53.034{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F49227AB7D771E8D397D069925328C7E,SHA256=AB360D54E2BA4C2314E2793B1704111E1F3C8A0A8563C1E54B85F36649988458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000098599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:51.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000098598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:54.578{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5FFD67C812D610211439B1067A03A9,SHA256=59DF6A77D15276433310F0ACB1481E53C26B8C75F2D56EB18149EECFD9941026,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:53.066{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60472-false10.0.1.12-8000- 23542300x8000000000000000191462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:54.095{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BDC2D8DEF21118A2F9DB33142A8BD6,SHA256=1B129EAD8C25AB35C685FB8F8B2EF3DF2C22CC76BD6E8D6F372A13B64FE4DBAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:55.663{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0D610D3906034B42E6E822DC7238C8,SHA256=18743EDE0E98FBE8A902A51ABA9728DDD9E13CED33825A51ABDFFA6F7BB930AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:55.165{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A52B605FD6DE7658939CCA376C5FD3F,SHA256=F9B19BDE9FED3E45F2E870DEA0BC01725756DFD3304AEB534A74E7EA07F404C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:56.735{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11BF91A625928110F7F2AE246BEB98DD,SHA256=1DBC291914C82F59073C851BBF0878133CE264AD714D4954E4EA8289B2CEEAD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.231{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7202E0F7344FD43234621B15248740,SHA256=6F3CEE82B29708226260DD59068C39653A5E3041772696DE0DC70368A3439E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.904{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.905{3A30D728-A831-6356-330A-000000008A02}3512C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.826{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C3D15EF81801628E86E23142288CB,SHA256=C388B4313E6A305689E9C96F33C2E288D8A3D0D16A750BC75EFF3E1183EB9A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.180{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local51300- 354300x8000000000000000191469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.177{E8723972-5A49-6356-0405-000000008902}5716C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60473-false161.71.11.52dcl7-ncg0-lhr4.la1-c2-lo3.salesforceliveagent.com443https 354300x8000000000000000191468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.117{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60091- 354300x8000000000000000191467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.092{E8723972-5654-6356-2100-000000008902}2436C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60091- 23542300x8000000000000000191466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.284{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD58EC0905C2B9BF4CD5E73F22165124,SHA256=444F1D339BBB774ABACD37E83FF1A7DBD52A5DBC88CC304F5856962AF042DD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.954{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB546E4AEDD183D9D7402430900CAA4,SHA256=642EFC6BC825B07686D5D87A8DD21319D45D969FD7BB0E22665B6AB412311AB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.925{3A30D728-A832-6356-350A-000000008A02}1792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.923{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D25C145EF448154DED85918ACCF5CA9,SHA256=68BBCBF64293F29E87F35039E5A4A802F02866391948C3A228DD035451BC30EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:58.386{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A41F7CE7D8930E496936618834B74B,SHA256=39B2BAD1A1B12AC01A64207BA229BCAE0C31110105168E6EA49389D20E51746C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.686{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AD68098F2292336F8727C8965F9AF526,SHA256=4FD0B24A0BB1BAB0ED864DA2935CA77443DFE8ACC624189456B7D0306345E896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.561{3A30D728-58BA-6356-1100-000000008A02}952NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A1F5DFE58850B2ABF93078E38836674B,SHA256=06DDD2365AA489D39D8D09528609A94B2C97ABB9D67F1E1BDC2AEA4DC1F12DC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.419{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:58.420{3A30D728-A832-6356-340A-000000008A02}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000191472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.185{E8723972-5A49-6356-0405-000000008902}5716la1-c2-lo3.lo3.r.salesforceliveagent.com0161.71.11.52;161.71.11.180;161.71.8.180;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000191471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:56.185{E8723972-5A49-6356-0405-000000008902}5716d.la1-c2-lo3.salesforceliveagent.com0type: 5 la1-c2-lo3.salesforceliveagent.com;type: 5 la1-c2-lo3.lo3.r.salesforceliveagent.com;::ffff:161.71.8.180;::ffff:161.71.11.52;::ffff:161.71.11.180;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000191477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.829{E8723972-5644-6356-0B00-000000008902}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60474-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 354300x8000000000000000191476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:57.829{E8723972-5654-6356-2000-000000008902}2428C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local60474-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-702.attackrange.local389ldap 23542300x8000000000000000191475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:59.465{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD248EF59A81C28495A28A6FF38EC1B5,SHA256=1361D653940DF872F99C1B686452ECEB5AC086B00842E48BF399BDE84472F699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:59.157{3A30D728-A832-6356-350A-000000008A02}17921012C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:59.003{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FE8172D0793FFBB82CE026157ABC594,SHA256=EEA42029EAA2D7730EFB9FB687F2A5C6CE7D618596941CCFD21B98474420B129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:58:58.104{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60475-false10.0.1.12-8000- 23542300x8000000000000000191479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:00.566{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39F4D5A2FA43E2D65D222F6D25D6C87,SHA256=7BB79D5D70417CBE9055C89152064AA8A102C35FCC4E99E73649BF12FD9E3035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.433{3A30D728-A834-6356-360A-000000008A02}1372968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-58B9-6356-0500-000000008A02}408524C:\Windows\system32\csrss.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.087{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.090{3A30D728-A834-6356-360A-000000008A02}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:00.024{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D7A9D2D4D68B8E0E7C03815D3EE978,SHA256=82DBC2F77112F8F965F947A47CB29A121BFD87B11D81A602E595BF57A7DF8F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:00.166{E8723972-56B7-6356-A400-000000008902}1924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4C087555A0EE7FF2319EEE7AF28C6C7,SHA256=3C25A6E324B1C13721A56944188EACAAF86C202DF44B42AD51825718743DD130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:01.717{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CAA2D2838104087B862AED4CDD25FD,SHA256=29DB58924DC584FC6C4BBEC75B0A279DDEF790D5B3B59CFC9B617A43222D4CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.902{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.899{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.898{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.898{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.893{3A30D728-A835-6356-380A-000000008A02}2732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000098677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.431{3A30D728-A835-6356-370A-000000008A02}19921084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000098676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:58:57.928{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-140.us-east-2.compute.internal53678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000098675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0500-000000008A02}408424C:\Windows\system32\csrss.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000098665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.226{3A30D728-592B-6356-9900-000000008A02}20962060C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000098663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.228{3A30D728-A835-6356-370A-000000008A02}1992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{3A30D728-58B9-6356-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000098662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:01.117{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226FC3124C030AEB896679628CB01874,SHA256=8F80AD10A5CF3ACC6313D8CF88C97DC689B25741211B66B5DEAC5E73067CEB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:02.793{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F5164D926151A9440C16BCD9BFC225,SHA256=E24D541938F597EA8DAEF658AF2EA896903BC3D99794D66C763071EB60BE423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.794{3A30D728-592B-6356-9900-000000008A02}2096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6E27E9995B1A8C2DFC0E070223D5F66,SHA256=76E5156F827707B38469F6526C249D8FEA92F7B89BCE6B1A049A003A594E4884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.372{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFE495D792E102C8D7BA51985CD7C2B,SHA256=B2AD0168033CCFAA2EBDD4B802BB0451F957F01064DFC2BDC0EBF126474B3B71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:02.107{3A30D728-A835-6356-380A-000000008A02}27323748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.872{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9903868E9734885CE8F6AF198EF2CC,SHA256=EFF72266FD4D2BA933C96F8CC3469E7F3EAF5F3D80C654E4EFE95A9A6CDCD2DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.636{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-A2D5-6356-9809-000000008A02}2664C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.632{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-593C-6356-E600-000000008A02}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.629{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5936-6356-CD00-000000008A02}3672C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.626{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-5935-6356-CB00-000000008A02}3912C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.625{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592C-6356-9D00-000000008A02}3804C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.621{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-592B-6356-9900-000000008A02}2096C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.620{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3600-000000008A02}2816C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.616{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BD-6356-3500-000000008A02}2768C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.615{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BC-6356-2400-000000008A02}2520C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.611{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2200-000000008A02}1804C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.609{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2100-000000008A02}1848C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.607{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-2000-000000008A02}1684C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.605{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1F00-000000008A02}1616C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.596{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1D00-000000008A02}2044C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.587{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BB-6356-1B00-000000008A02}1872C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.551{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1700-000000008A02}1216C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.549{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1600-000000008A02}1208C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.536{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1500-000000008A02}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.492{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.484{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1300-000000008A02}740C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.473{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1200-000000008A02}976C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.465{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1100-000000008A02}952C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.456{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-1000-000000008A02}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.449{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0F00-000000008A02}892C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.439{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0E00-000000008A02}884C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.428{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58BA-6356-0D00-000000008A02}772C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.412{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0C00-000000008A02}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 23542300x800000000000000098696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.412{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC353C288C3A4A2AC54371430C193950,SHA256=057F8EAFCC32A97E5D5925D129021B25EC7E5EB234591DEFA4F2A2C5A863F640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.389{3A30D728-58BB-6356-1E00-000000008A02}14362488C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012438610) 10341000x800000000000000098694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:03.374{3A30D728-58BB-6356-1E00-000000008A02}14362976C:\Program Files\Aurora-Agent\aurora-agent.exe{3A30D728-58B9-6356-0900-000000008A02}564C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012900A90) 10341000x8000000000000000191491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.510{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.495{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.495{E8723972-5645-6356-0C00-000000008902}8562972C:\Windows\system32\svchost.exe{E8723972-A274-6356-DA0E-000000008902}4720C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.929{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC334F286838106A81B03C85DA90444,SHA256=65B6A53099725E9B46E949873C8F60EDE7CF38D5599E2898EB7E150FC2685388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000098724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:04.662{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD79B9C24C1835DDEA9A4DF1AC5417D,SHA256=D5ED189FC0EF3313D7892E8850D368A091996E41CA6BCBA11061AF9CBA2A5409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.574{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E27B13735B811FC05E7FBE85EB5BBC60,SHA256=BEC9E6327194CE171A89EEAC8D81E54C57141E1AD78A6574685D0DBEF8404EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:04.239{E8723972-56C5-6356-EE00-000000008902}4104NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F0A9A6B686397AAD406936D405AF1BD,SHA256=ECF475E26C05B64A717927F5A6EE4EE75B1F286B163DF75387A25C0BCEDA93AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000098742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58B9-6356-0B00-000000008A02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5e9a4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.928{3A30D728-58B9-6356-0B00-000000008A02}6243016C:\Windows\system32\lsass.exe{3A30D728-58BA-6356-1400-000000008A02}960C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000098739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.913{3A30D728-58B9-6356-0C00-000000008A02}7243036C:\Windows\system32\svchost.exe{3A30D728-58BB-6356-1E00-000000008A02}1436C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000098738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.787{3A30D728-593C-6356-E600-000000008A02}1232NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D78A31803E5AFA30E283A84F88913A1,SHA256=CDB70DFBDF27C828AE24BE6B9871292E05318971CEC5840F5F616C190D2850DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-702.attackrange.local-2022-10-24 14:59:03.984{E8723972-56BF-6356-D500-000000008902}3156C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-702.attackrange.local60476-false10.0.1.12-8000- 10341000x800000000000000098737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-140-2022-10-24 14:59:05.007{3A30D728-592C-6356-9D00-000000008A02}38042996C:\Windows\system32\conhost.exe{3A30D728-A839-6356-390A-000000008A02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprin